Exploitation Summary
EIP tracks 2 public exploits for CVE-2019-12402. PoCs published by dawetmaster, andikahilmy.
AI-analyzed exploit summary This repository contains the source code for Apache Commons Compress, specifically a vulnerable version (b95d5cd) related to CVE-2019-12402. However, it lacks any exploit code, proof-of-concept, or technical analysis of the vulnerability itself.
Description
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Exploits (2)
nomisec
STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2019-12402-commons-compress-vulnerable
This repository contains the source code for Apache Commons Compress, specifically a vulnerable version (b95d5cd) related to CVE-2019-12402. However, it lacks any exploit code, proof-of-concept, or technical analysis of the vulnerability itself.
Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target:
Apache Commons Compress
No auth needed
Prerequisites:
Vulnerable version of Apache Commons Compress
MITRE ATT&CK
devstral-2 · analyzed Mar 14, 2026
Full analysis →
nomisec
WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2019-12402-commons-compress-vulnerable
This repository contains the vulnerable source code of Apache Commons Compress, which is affected by CVE-2019-12402. The vulnerability is related to infinite loop and denial-of-service (DoS) conditions in the ARJ archive handling. The repository includes build instructions and contributing guidelines but does not contain an exploit PoC or scanner.
Classification
Writeup 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target:
Apache Commons Compress (versions prior to 1.19)
No auth needed
Prerequisites:
Malicious ARJ archive file · Application using vulnerable Apache Commons Compress library
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (30)
Core 30
Core References
Mailing List mailing-list
https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea%40%3Ccommits.creadur.apache.org%3E
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/
Mailing List mailing-list
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0%40%3Cissues.flink.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E
Mailing List mailing-list
https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53%40%3Cdev.brooklyn.apache.org%3E
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230818-0001/
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
62.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (40)
apache/commons_compress
1.15 - 1.18
fedoraproject/fedora
30
fedoraproject/fedora
31
io.github.1tchy.java9modular.org.apache.commons/commons-compress
Maven
oracle/banking_payments
14.1.0 - 14.4.0
oracle/banking_platform
2.6.2
oracle/banking_platform
2.7.0
oracle/banking_platform
2.8.0
oracle/banking_platform
2.9.0
oracle/communications_element_manager
8.2.0 - 8.2.2
... and 30 more
Published
Aug 30, 2019
Tracked Since
Feb 18, 2026