Suggested CVSS : 8.6 / High (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
DotNetZip >= 1.10.1 (May 2018), <= 1.16.0 (latest release) (NuGet, GitHub)
DotNetZip is affected by an absolute path traversal vulnerability. Despite the protection in place during extraction, the destination path of the current ZIP entry is mutated after its sanitization, breaking security guarantees. This is effectively a bypass of the patch for CVE-2018-1002205.
Subsequently to our report to the upstream maintainer and Microsoft, the repository was marked as read-only and the package legacy on NuGet. The package is still available for download and will not receive a patch, making it a "forever-day".
We recommend migrating code to System.IO.Compression, and attached a patch for DotNetZip to fix this bug during the transition period.
Finder, Remediation Developer: Thomas Chauchefoin (Bentley Systems)
Regarding StartsWith for such purposes, it is recommended to use StringComparison.OrdinalIgnoreCase
https://blog.mindedsecurity.com/2018/10/how-to-prevent-path-traversal-in-net.html
https://www.stackhawk.com/blog/net-path-traversal-guide-examples-and-prevention/
It may not make difference here but potential utf-8 / encoding attacks would be avoided (some colleagues directly recommended that change when we reviewed the patch)