Description
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
References (18)
Core 18
Core References
Various Sources
https://www.bamsoftware.com/hacks/zipbomb/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250411-0005/
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/109858
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
Scores
CVSS v3
6.2
EPSS
0.0034
EPSS Percentile
25.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-405
Status
published
Products (6)
Python Software Foundation/CPython
< 3.8.19
Python Software Foundation/CPython
3.10.0 - 3.10.14
Python Software Foundation/CPython
3.11.0 - 3.11.8
Python Software Foundation/CPython
3.12.0 - 3.12.2
Python Software Foundation/CPython
3.13.0a1 - 3.13.0a3
Python Software Foundation/CPython
3.9.0 - 3.9.19
Published
Mar 19, 2024
Tracked Since
Feb 18, 2026