Due to some requests by the local security team, looking into whether some of the software we use is exposed to zip-slip.
Digging around in the kibana codebase on github I spotted https://github.com/elastic/kibana/blob/da1268d3221e25952e2207c37fde4f3b9d2688ce/packages/kbn-es/src/utils/decompress.js#L40-L85 which looks like it extracts a zipfile without checking whether it contains leading '../' as part of the path.
This code looks like it's only used by plugin management, and so it limits exposure to first being persuaded to install a compromised archive as a plugin to kibana, but it would be nice to confirm whether this is indeed correct, and whether that is the only place that is vulnerable?