Dromara HuTool cn.hutool.core.util.ZipUtil.java resource consumption
Description
A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.8.11 is able to address this issue. It is recommended to upgrade the affected component. VDB-215974 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HuTool up to 5.8.10 contains a ZIP bomb vulnerability in its ZipUtil.unzip methods, enabling remote denial of service via resource exhaustion.
Vulnerability
Description
CVE-2022-4565 is a resource consumption vulnerability in Dromara HuTool, a Java utility library [2]. The flaw resides in the cn.hutool.core.util.ZipUtil.java file, where multiple unzip methods fail to validate the decompressed size of ZIP entries [1]. A specially crafted ZIP bomb—a compressed archive containing highly redundant data—can be supplied, which decompresses to an exponentially larger size [1]. The component does not enforce limits on entry size or total decompressed data, leading to uncontrolled resource consumption [1].
Exploitation
The attack is remotely exploitable without authentication, as huTool applications commonly accept user-supplied ZIP files for extraction [1][2]. An attacker can deliver a small compressed file (e.g., 42 KB) that decompresses to 5.5 GB on disk; larger bombs escalate to terabytes or petabytes [1]. All eleven unzip overloads in ZipUtil, including those accepting String, File, InputStream, or ZipInputStream parameters, are affected as they ultimately invoke a core method with a limit parameter hardcoded to -1L (unlimited) [1].
Impact
Successful exploitation exhausts server storage resources, causing a denial-of-service condition [1][2]. The vulnerability is publicly known, with an exploit generator available [1].
Mitigation
HuTool version 5.8.11 resolves the issue by introducing size checks during ZIP extraction [1][2]. Users must upgrade to this release or later. No workaround exists for older versions, as the vulnerable code paths lack configurable limits [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cn.hutool:hutool-coreMaven | < 5.8.11 | 5.8.11 |
Affected products
2- Dromara/HuToolv5Range: 5.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-47vx-fqr5-j2gwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4565ghsaADVISORY
- github.com/dromara/hutool/issues/2797ghsaWEB
- vuldb.comghsaWEB
News mentions
0No linked articles in our index yet.