Denial of Service via crafted.7z archives due to inefficient algorithmic complexity
Summary
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3. A flaw was found in py7zr, a Python library for 7zip archives. A remote attacker could exploit this vulnerability by providing a specially crafted .7z archive. This archive, when processed by the `SevenZipFile.init()` function, triggers an inefficient algorithmic complexity (CWE-407) during header parsing. This leads to excessive CPU consumption, resulting in a Denial of Service (DoS) for any application that opens untrusted .7z archives using py7zr. This Moderate severity flaw in the `py7zr` library can lead to a Denial of Service. Applications that utilize `py7zr` to open or process untrusted `.7z` archives are vulnerable to excessive CPU consumption. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-606.
- < 1.1.3
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.