Denial of Service via decompression bomb in 7zip archive extraction
Summary
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by providing a specially crafted .7z file. The `Worker.decompress()` function fails to track the total decompressed size, enabling a small archive to expand significantly and exhaust system resources such as disk space or memory during extraction. This issue is also known as a decompression bomb (CWE-409). This Moderate impact flaw in the py7zr Python library can lead to a denial of service when processing specially crafted 7zip archives. An attacker could provide a malicious archive that, upon decompression, exhausts system resources such as disk space or memory, impacting the availability of services that utilize py7zr for archive handling. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-409.
- < 1.1.3
- < 15.6
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.