CVE-2018-11771
Description
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Compress 1.7 to 1.17 fails to signal EOF when reading crafted ZIP archives, allowing an infinite stream leading to denial of service.
Vulnerability
In Apache Commons Compress versions 1.7 through 1.17, the ZipArchiveInputStream.read() method does not correctly return an end-of-file (EOF) indication when the end of a specially crafted ZIP archive has been reached. This flaw manifests when the method is used in combination with a java.io.InputStreamReader, which can then treat the stream as infinite and continue reading indefinitely [1].
Exploitation
An attacker must supply a maliciously crafted ZIP archive to a service or application that uses the affected ZipArchiveInputStream from Apache Commons Compress. The attack does not require authentication if the service accepts arbitrary ZIP files. Once the archive is parsed, the InputStreamReader will not detect the end of the stream, causing the reading process to loop infinitely without termination [1].
Impact
Successful exploitation results in a denial of service (DoS) condition. The infinite stream consumes CPU resources and can block the thread performing the read operation, potentially making the targeted service unresponsive or causing resource exhaustion on the host system [1].
Mitigation
The vulnerability is fixed in Apache Commons Compress version 1.18, released on 2018-08-09. All users should upgrade to this version or later to eliminate the vulnerability. No known workarounds exist for earlier versions. There is no indication that this issue has been exploited in the wild or added to the CISA Known Exploited Vulnerabilities catalog [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | >= 1.7, < 1.18 | 1.18 |
Affected products
2- Apache Software Foundation/Apache Commons Compressv5Range: 1.7 to 1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
33- github.com/advisories/GHSA-hrmr-f5m6-m9pqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11771ghsaADVISORY
- www.securityfocus.com/bid/105139ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1041503ghsavdb-entryx_refsource_SECTRACKWEB
- lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7%40%3Cdev.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1%40%3Cdev.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61%40%3Cnotifications.commons.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3EghsaWEB
- lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120%40%3Cdev.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1%40%3Ccommits.commons.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41%40%3Ccommits.tinkerpop.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.