VYPR

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

BaseIncomplete

Description

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (54)

page 3 of 3
  • CVE-2025-60790Oct 21, 2025
    risk 0.00cvss epss 0.00

    ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.

  • CVE-2025-58057Sep 3, 2025
    risk 0.00cvss epss 0.01

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with…

  • CVE-2025-53633Jul 10, 2025
    risk 0.00cvss epss 0.00

    Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication…

  • CVE-2025-46730May 5, 2025
    risk 0.00cvss epss 0.00

    MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit…

  • CVE-2024-7765Mar 20, 2025
    risk 0.00cvss epss 0.01

    In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the…

  • CVE-2024-54016Mar 20, 2025
    risk 0.00cvss epss 0.01

    Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

  • CVE-2024-54682Dec 16, 2024
    risk 0.00cvss epss 0.00

    Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

  • CVE-2024-43499Nov 12, 2024
    risk 0.00cvss epss 0.03

    .NET and Visual Studio Denial of Service Vulnerability

  • CVE-2024-3572Apr 16, 2024
    risk 0.00cvss epss 0.01

    The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate…

  • CVE-2024-28180Mar 9, 2024
    risk 0.00cvss epss 0.02

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now…

  • CVE-2024-28101Mar 6, 2024
    risk 0.00cvss epss 0.01

    The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router…

  • CVE-2023-26483Mar 3, 2023
    risk 0.00cvss epss 0.01

    gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume…

  • CVE-2023-0475Feb 16, 2023
    risk 0.00cvss epss 0.00

    HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

  • CVE-2022-45198Nov 14, 2022
    risk 0.00cvss epss 0.01

    Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).