CVE-2018-1324
Description
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Compress 1.11 to 1.15 can be forced into an infinite loop via a specially crafted ZIP archive, enabling denial of service attacks.
Vulnerability
A specially crafted ZIP archive can trigger an infinite loop inside the extra field parser of ZipFile and ZipArchiveInputStream classes in Apache Commons Compress versions 1.11 through 1.15 [1]. The parser does not correctly handle malformed or corrupt extra field data, causing the loop to never terminate when processing the crafted archive [4].
Exploitation
An attacker needs only the ability to supply a malicious ZIP archive to a service that uses the affected ZipFile or ZipArchiveInputStream classes [1]. No authentication or special privileges are required. The attack is performed by sending the crafted archive to the target service; upon parsing, the infinite loop consumes CPU resources indefinitely, leading to a denial of service [4].
Impact
Successful exploitation results in a denial of service (CPU exhaustion) against any service using the affected Apache Commons Compress versions [1]. The infinite loop prevents the service from processing further requests, potentially causing availability loss for the entire application [4].
Mitigation
Upgrade to Apache Commons Compress version 1.16 or later, which fixes the infinite loop issue [1]. Users on version 1.11 to 1.15 should update immediately. No known workarounds exist for this vulnerability [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | >= 1.11, < 1.16 | 1.16 |
com.liferay:com.liferay.portal.tools.bundle.supportMaven | >= 3.2.7, < 3.7.4 | 3.7.4 |
Affected products
4- ghsa-coords3 versionspkg:maven/com.liferay/com.liferay.portal.tools.bundle.supportpkg:maven/io.takari/commons-compresspkg:maven/org.apache.commons/commons-compress
>= 3.2.7, < 3.7.4+ 2 more
- (no CPE)range: >= 3.2.7, < 3.7.4
- (no CPE)
- (no CPE)range: >= 1.11, < 1.16
- Apache Software Foundation/Apache Commons Compressv5Range: 1.11 to 1.15
Patches
12a2f1dc48e22COMPRESS-432 make sure code doesn't get stuck in infinite loop
1 file changed · +1 −1
src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java+1 −1 modified@@ -310,7 +310,7 @@ public void parseCentralDirectoryFormat(final byte[] data, final int offset, fin this.hashAlg = HashAlgorithm.getAlgorithmByCode(ZipShort.getValue(data, offset + 12)); this.hashSize = ZipShort.getValue(data, offset + 14); // srlist... hashed public keys - for (int i = 0; i < this.rcount; i++) { + for (long i = 0; i < this.rcount; i++) { for (int j = 0; j < this.hashSize; j++) { // ZipUtil.signedByteToUnsignedInt(data[offset + 16 + (i * this.hashSize) + j])); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-h436-432x-8fvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1324ghsaADVISORY
- www.securityfocus.com/bid/103490mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040549mitrevdb-entryx_refsource_SECTRACK
- arxiv.org/pdf/2306.05534.pdfghsaWEB
- github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933bghsaWEB
- github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324ghsaWEB
- lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3EghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.