Why this matters
The bug. ZIP entries can have any path. Path.Combine("/srv/uploads", "../../etc/passwd") resolves to /etc/passwd. The overwrite: true flag then clobbers any file the process can write — sshd_config, crontab, web root, anything.
The fix. Either flatten the structure (Path.GetFileName(entry.FullName) discards the directory part) or resolve and check containment. .NET 6 added the two-argument Path.GetFullPath(path, basePath) overload which throws when the result escapes the base directory.
Defense in depth. Run the extraction in a sandboxed worker that can only write under a single chrooted directory. CVE-2018-1002201 ('Zip Slip') affected dozens of major libraries.
Review heuristic
Whenever filesystem path concatenation meets a request value, verify there's a containment check on the resolved absolute path. The check has to come after normalization and has to fail closed (reject by default), not by string-stripping ...
External reference: CWE-22: Path Traversal.
↳ Zip Slip (CVE-2018-1002201); CWE-22.