Low severityNVD Advisory· Published Jul 18, 2023· Updated Oct 18, 2024

Fides Webserver Vulnerable to Zip Bomb File Uploads

CVE-2023-37480

Description

Fides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions 2.11.0 through 2.15.1. Exploitation is limited to users with elevated privileges with the CONNECTOR_TEMPLATE_REGISTER scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version 2.16.0. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ethyca-fidesPyPI	>= 2.11.0, < 2.16.0	2.16.0

Affected products

Ethyca/Fidesv5
Range: >= 2.11.0, < 2.16.0

Patches

5aea73846396

Merge pull request from GHSA-g95c-2jgm-hqc6

https://github.com/ethyca/fidesAdrian GalvanJul 6, 2023via ghsa

commit

3 files changed · +64 −0

src/fides/api/service/connectors/saas/connector_registry_service.py+4 −0 modified

@@ -40,6 +40,7 @@
     replace_dataset_placeholders,
     replace_version,
 )
+from fides.api.util.unsafe_file_util import verify_zip
 from fides.config import CONFIG
 
 
@@ -181,6 +182,9 @@ def save_template(cls, db: Session, zip_file: ZipFile) -> None:
         custom connector template, registers the template, and saves it to the database.
         """
 
+        # verify the zip file before we use it
+        verify_zip(zip_file)
+
         config_contents = None
         dataset_contents = None
         icon_contents = None

src/fides/api/util/unsafe_file_util.py+34 −0 added

@@ -0,0 +1,34 @@
+from typing import Optional
+from zipfile import ZipFile
+
+MAX_FILE_SIZE = 16 * 1024 * 1024  # 16 MB
+CHUNK_SIZE = 1024
+
+
+def verify_zip(zip_file: ZipFile, max_file_size: Optional[int] = None) -> None:
+    """
+    Function to safely verify the contents of zipped files. It prevents potential
+    'zip bomb' attacks by checking the file size of the files in the zip without fully
+    extracting them. If the size of any file in the zip exceeds the specified
+    max_file_size, it raises a ValueError. If the max_file_size is not provided,
+    it uses a default value of 16 MB.
+
+    :param zip_file: A ZipFile object to be verified.
+    :param max_file_size: An optional integer specifying the maximum bytes allowed per file. If not provided, a default value is used.
+    :raises ValueError: If a file in the zip file exceeds the maximum allowed size
+    """
+
+    if max_file_size is None:
+        max_file_size = MAX_FILE_SIZE
+
+    for file_info in zip_file.infolist():
+        file_size = 0
+
+        with zip_file.open(file_info) as file:
+            # wraps the file read in an iterator that stops once no bytes
+            # are returned or the max file size is reached
+            for chunk in iter(lambda: file.read(CHUNK_SIZE), b""):
+                file_size += len(chunk)
+
+                if file_size > max_file_size:
+                    raise ValueError("File size exceeds maximum allowed size")

tests/ops/util/test_unsafe_file_util.py+26 −0 added

@@ -0,0 +1,26 @@
+from io import BytesIO
+from zipfile import ZipFile
+
+import pytest
+
+from fides.api.util.unsafe_file_util import verify_zip
+from tests.ops.test_helpers.saas_test_utils import create_zip_file
+
+
+class TestVerifyZip:
+    @pytest.fixture
+    def zip_file(self) -> BytesIO:
+        return create_zip_file(
+            {
+                "config.yml": "This file isn't that big, but it will be considered suspicious if the max file size is set too low",
+            }
+        )
+
+    def test_verify_zip(self, zip_file):
+        verify_zip(ZipFile(zip_file))
+
+    def test_verify_zip_with_small_file_size_limit(self, zip_file):
+        """We set the max file size to 1 byte, so the zip file should be rejected."""
+        with pytest.raises(ValueError) as exc:
+            verify_zip(ZipFile(zip_file), 1)
+        assert "File size exceeds maximum allowed size" in str(exc.value)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g95c-2jgm-hqc6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-37480ghsaADVISORY
github.com/ethyca/fides/commit/5aea738463960d81821c11ae7ade1d627a46bf32ghsax_refsource_MISCWEB
github.com/ethyca/fides/releases/tag/2.16.0ghsaWEB
github.com/ethyca/fides/security/advisories/GHSA-g95c-2jgm-hqc6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000