CVE-2021-36090

HIGH

Apache Commons Compress 1.0-1.20 - Denial of Service via Malicious ZIP Archive

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-36090. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only the source code of the vulnerable Apache Commons Compress library (version affected by CVE-2021-36090) without any exploit code, PoC, or technical analysis. It appears to be a placeholder or reference implementation rather than a functional exploit.

Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2021-36090-commons-compress-vulnerable

The repository contains only the source code of the vulnerable Apache Commons Compress library (version affected by CVE-2021-36090) without any exploit code, PoC, or technical analysis. It appears to be a placeholder or reference implementation rather than a functional exploit.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Commons Compress (versions before 1.21)
No auth needed
Prerequisites: None
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2021-36090-commons-compress-vulnerable

This repository contains a vulnerable version of Apache Commons Compress, specifically targeting CVE-2021-36090. The code includes the necessary classes to demonstrate the vulnerability, which involves improper handling of archive entries leading to potential denial-of-service (DoS) or arbitrary file write conditions.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Commons Compress (versions before 1.21)
No auth needed
Prerequisites: Access to a system using a vulnerable version of Apache Commons Compress
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (34)

Core 34
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/13/4
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/13/6
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211022-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5
EPSS 0.0074
EPSS Percentile 73.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-130
Status published
Products (48)
apache/commons_compress 1.0 - 1.21
netapp/active_iq_unified_manager (3 CPE variants)
netapp/oncommand_insight
oracle/banking_apis 19.1
oracle/banking_apis 19.2
oracle/banking_apis 20.1
oracle/banking_apis 21.1
oracle/banking_apis 18.1 - 18.3
oracle/banking_digital_experience 19.1
oracle/banking_digital_experience 19.2
... and 38 more
Published Jul 13, 2021
Tracked Since Feb 18, 2026