Description
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
References (22)
Core 22
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241011-0010/
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
Issue Tracking patch
https://github.com/python/cpython/pull/122906
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/122905
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/123270
Scores
CVSS v4
8.7
EPSS
0.0127
EPSS Percentile
66.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/RE:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (6)
Python Software Foundation/CPython
< 3.8.20
Python Software Foundation/CPython
3.10.0 - 3.10.15
Python Software Foundation/CPython
3.11.0 - 3.11.10
Python Software Foundation/CPython
3.12.0 - 3.12.6
Python Software Foundation/CPython
3.13.0a1 - 3.13.0rc2
Python Software Foundation/CPython
3.9.0 - 3.9.20
Published
Aug 22, 2024
Tracked Since
Feb 18, 2026