CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
Description
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (54)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-60790 | 0.00 | — | 0.00 | Oct 21, 2025 | ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service. | |||
| CVE-2025-58057 | 0.00 | — | 0.01 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with… | |||
| CVE-2025-53633 | 0.00 | — | 0.00 | Jul 10, 2025 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication… | |||
| CVE-2025-46730 | 0.00 | — | 0.00 | May 5, 2025 | MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit… | |||
| CVE-2024-7765 | 0.00 | — | 0.01 | Mar 20, 2025 | In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the… | |||
| CVE-2024-54016 | — | 0.00 | — | 0.01 | Mar 20, 2025 | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. | ||
| CVE-2024-54682 | 0.00 | — | 0.00 | Dec 16, 2024 | Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. | |||
| CVE-2024-43499 | 0.00 | — | 0.03 | Nov 12, 2024 | .NET and Visual Studio Denial of Service Vulnerability | |||
| CVE-2024-3572 | 0.00 | — | 0.01 | Apr 16, 2024 | The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate… | |||
| CVE-2024-28180 | 0.00 | — | 0.02 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now… | |||
| CVE-2024-28101 | 0.00 | — | 0.01 | Mar 6, 2024 | The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router… | |||
| CVE-2023-26483 | 0.00 | — | 0.01 | Mar 3, 2023 | gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume… | |||
| CVE-2023-0475 | 0.00 | — | 0.00 | Feb 16, 2023 | HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. | |||
| CVE-2022-45198 | — | 0.00 | — | 0.01 | Nov 14, 2022 | Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
- CVE-2025-60790Oct 21, 2025risk 0.00cvss —epss 0.00
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.
- CVE-2025-58057Sep 3, 2025risk 0.00cvss —epss 0.01
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with…
- CVE-2025-53633Jul 10, 2025risk 0.00cvss —epss 0.00
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication…
- CVE-2025-46730May 5, 2025risk 0.00cvss —epss 0.00
MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit…
- CVE-2024-7765Mar 20, 2025risk 0.00cvss —epss 0.01
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the…
- CVE-2024-54016Mar 20, 2025risk 0.00cvss —epss 0.01
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
- CVE-2024-54682Dec 16, 2024risk 0.00cvss —epss 0.00
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.
- CVE-2024-43499Nov 12, 2024risk 0.00cvss —epss 0.03
.NET and Visual Studio Denial of Service Vulnerability
- CVE-2024-3572Apr 16, 2024risk 0.00cvss —epss 0.01
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate…
- CVE-2024-28180Mar 9, 2024risk 0.00cvss —epss 0.02
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now…
- CVE-2024-28101Mar 6, 2024risk 0.00cvss —epss 0.01
The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router…
- CVE-2023-26483Mar 3, 2023risk 0.00cvss —epss 0.01
gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume…
- CVE-2023-0475Feb 16, 2023risk 0.00cvss —epss 0.00
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
- CVE-2022-45198Nov 14, 2022risk 0.00cvss —epss 0.01
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).