Apache Commons Compress 1.1 to 1.20 denial of service vulnerability
Description
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Compress 1.1 to 1.20 can be forced to allocate excessive memory via a crafted TAR archive, leading to denial of service.
Vulnerability
A denial of service vulnerability exists in the tar package of Apache Commons Compress versions 1.1 through 1.20. When reading a specially crafted TAR archive, the library can be made to allocate large amounts of memory, resulting in an out-of-memory error even for very small inputs [3]. The issue is triggered during the parsing of the archive's header or entry data, where insufficient validation allows an attacker to specify an extremely large size value that forces excessive memory allocation.
Exploitation
An attacker needs only the ability to supply a malicious TAR archive to a service or application that uses Apache Commons Compress's tar package. No authentication or special privileges are required. The attacker crafts a TAR file with manipulated metadata (e.g., a file entry with an inflated size field) that, when processed by the library, causes the allocation of a disproportionately large buffer. The service then exhausts available memory and crashes or becomes unresponsive.
Impact
Successful exploitation results in a denial of service (DoS) condition. The affected service or application becomes unavailable due to an out-of-memory error. There is no impact on confidentiality or integrity; the attack solely disrupts availability.
Mitigation
Users of Apache Commons Compress should upgrade to version 1.21 or later, which contains the fix for this vulnerability [3]. For Apache Ant users, which also uses the Compress library, upgrading to Ant 1.9.16 or 1.10.11 addresses the issue in that context [2]. No workarounds are available for earlier versions; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | < 1.21 | 1.21 |
Affected products
7- ghsa-coords6 versionspkg:maven/org.apache.commons/commons-compresspkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3
< 1.21+ 5 more
- (no CPE)range: < 1.21
- (no CPE)range: < 1.21-lp152.2.3.1
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-1.2
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-3.3.1
- Apache Software Foundation/Apache Commons Compressv5Range: 1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
38- github.com/advisories/GHSA-xqfj-vm6h-2x34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35517ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/07/13/3ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2021/07/13/5ghsamailing-listx_refsource_MLISTWEB
- commons.apache.org/proper/commons-compress/security-reports.htmlghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001ghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.