AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Summary
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. Affected package(s): automation-controller, rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1771502844, ansible-automation-platform, rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:1770053721, rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1770055428, rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:1771502845. Resolved in Red Hat advisory RHSA-2026:2106 — update the affected packages (`sudo dnf update`).
- automation-controller-0:4.5.30-1.el9ap
- rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9:1771502844
- ansible-automation-platform-25/lightspeed-chatbot-rhel8:1774414699
- rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9:1770053721
- ansible-automation-platform-26/hub-rhel9:1772473168
- rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1770055428
- ansible-automation-platform-26/de-supported-rhel9:1768853828
- rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9:1771502845
- rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9:1770103255
- rhoai/odh-kserve-storage-initializer-rhel9:1770055932
- rhoai/odh-vllm-cuda-rhel9:1770059269
- rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9:1771502921
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- RHSA-2026:2106
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the fixed version shipped in RHSA-2026:2106 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.