Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-409 (对高度压缩数据的处理不恰当(数据放大攻击)) — Vulnerability Class 39

39 vulnerabilities classified as CWE-409 (对高度压缩数据的处理不恰当(数据放大攻击)). AI Chinese analysis included.

CWE-409 represents a critical input validation weakness where software fails to adequately manage inputs with extreme compression ratios, leading to data amplification during decompression. Attackers typically exploit this vulnerability by crafting malicious archives, such as "decompression bombs," which are deceptively small but expand into massive amounts of data upon extraction. This exploitation can rapidly exhaust system memory, CPU resources, or disk space, resulting in denial-of-service conditions or application crashes. To mitigate this risk, developers must implement strict limits on decompression sizes and monitor resource consumption during the process. Effective defenses include setting maximum allowable output thresholds, using timeout mechanisms to halt prolonged decompression tasks, and validating input complexity before processing. By enforcing these constraints, organizations can prevent attackers from leveraging compression algorithms to overwhelm system resources and maintain service availability.

MITRE CWE Description
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
Common Consequences (1)
AvailabilityDoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.
Examples (1)
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity …
<?xml version="1.0"?> <!DOCTYPE MaliciousDTD [ <!ENTITY ZERO "A"> <!ENTITY ONE "&ZERO;&ZERO;"> <!ENTITY TWO "&ONE;&ONE;"> ... <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;"> ]> <data>&THIRTYTWO;</data>
Attack · XML
CVE IDTitleCVSSSeverityPublished
CVE-2026-27460 Tandoor Recipes Affected by Denial of Service via Recipe Import — recipes 6.5 Medium2026-04-10
CVE-2026-40148 PraisonAI Affected by Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits — PraisonAI 6.5 Medium2026-04-09
CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb — jwcrypto 5.3 Medium2026-04-07
CVE-2026-3114 Zip Bomb Denial of Service via Unrestricted Archive Decompression — Mattermost 6.5 Medium2026-03-26
CVE-2026-32044 OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation — OpenClaw 5.5 Medium2026-03-21
CVE-2026-2575 Keycloak: keycloak: denial of service due to excessive samlrequest decompression — Red Hat build of Keycloak 26.4 5.3 Medium2026-03-18
CVE-2026-32630 file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry — file-type 5.3 Medium2026-03-13
CVE-2026-23943 Pre-auth SSH DoS via unbounded zlib inflate — OTP 7.5 -2026-03-13
CVE-2026-1526 undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression — undici 7.5 High2026-03-12
CVE-2026-25962 MarkUs: Zip bomb in config upload enables DoS — Markus 6.5 Medium2026-03-06
CVE-2026-27809 psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps — psd-tools 6.5AIMediumAI2026-02-25
CVE-2026-27571 nats-server websockets are vulnerable to pre-auth memory DoS — nats-server 5.9 Medium2026-02-24
CVE-2026-22870 GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS — guarddog 7.5AIHighAI2026-01-13
CVE-2026-22776 cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb — cpp-httplib 7.5AIHighAI2026-01-12
CVE-2026-21441 urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) — urllib3 7.5 -2026-01-07
CVE-2025-69223 AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb — aiohttp 7.5 High2026-01-05
CVE-2025-66471 urllib3 Streaming API improperly handles highly compressed data — urllib3 9.8 -2025-12-05
CVE-2025-62708 pypdf manipulated LZWDecode streams can exhaust RAM — pypdf 4.3 -2025-10-22
CVE-2025-58057 Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack — netty 7.5AIHighAI2025-09-03
CVE-2025-46730 Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack — Mobile-Security-Framework-MobSF 6.8 Medium2025-05-05
CVE-2024-55909 IBM Concert Software denial of service — Concert Software 6.5 Medium2025-05-02
CVE-2025-32949 PeerTube User Import Authenticated Resource Exhaustion 6.5 Medium2025-04-15
CVE-2025-0986 IBM PowerVM Hypervisor data manipulation — PowerVM Hypervisor 4.5 Medium2025-03-28
CVE-2024-12387 Improper Input Validation in binary-husky/gpt_academic — binary-husky/gpt_academic 7.5 -2025-03-20
CVE-2024-12886 Out-Of-Memory (OOM) Vulnerability in ollama/ollama — ollama/ollama 7.5 -2025-03-20
CVE-2024-7765 Denial of Service in h2oai/h2o-3 — h2oai/h2o-3 7.5 -2025-03-20
CVE-2024-54016 compression bomb attack in Apache Seata Server — Apache Seata (incubating) 9.1 -2025-03-20
CVE-2025-30153 Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter — kin-openapi 7.5 High2025-03-19
CVE-2024-54682 Zipbomb DoS via Missing Slack Import Validation — Mattermost 6.5 Medium2024-12-16
CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability — Microsoft Visual Studio 2022 version 17.6 7.5 High2024-11-12

Vulnerabilities classified as CWE-409 (对高度压缩数据的处理不恰当(数据放大攻击)) represent 39 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.