CVE-2024-0450
Medium
Low
Medium
High
Critical
6.2
CVSS Score
Vulnerability Description
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
L
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Microsoft
2024-Sep-CVE-2024-0450
CVE-2024-0450: None
Severity
Unknown
Released
Oct 11, 2025
Security Update
Microsoft
2024-Mar-CVE-2024-0450
CVE-2024-0450: Quoted zip-bomb protection for zipfile
Severity
Unknown
Released
Sep 04, 2025
Security Update
Oracle
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
Severity
Critical
Released
Jan 21, 2025
Restart Required
Security Update
References & Resources
-
http://www.openwall.com/lists/oss-security/2024/03/20/5cna@python.org
-
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85cna@python.org
-
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842ebacna@python.org
-
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675cna@python.org
-
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51cna@python.org
-
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549cna@python.org
-
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183cna@python.org
-
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3bcna@python.org
-
https://github.com/python/cpython/issues/109858cna@python.org
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.htmlcna@python.org
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.htmlcna@python.org
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/cna@python.org
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/cna@python.org
-
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/cna@python.org
-
https://www.bamsoftware.com/hacks/zipbomb/cna@python.org
-
http://www.openwall.com/lists/oss-security/2024/03/20/5af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842ebaaf854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183af854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3baf854a3a-2127-422b-91ae-364da2661108
-
https://github.com/python/cpython/issues/109858af854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/11/msg00005.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/af854a3a-2127-422b-91ae-364da2661108
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/af854a3a-2127-422b-91ae-364da2661108
-
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/af854a3a-2127-422b-91ae-364da2661108
-
https://security.netapp.com/advisory/ntap-20250411-0005/af854a3a-2127-422b-91ae-364da2661108
-
https://www.bamsoftware.com/hacks/zipbomb/af854a3a-2127-422b-91ae-364da2661108
Severity Details
6.2
out of 10.0
Medium
Weakness Type (CWE)
CWE-405
Asymmetric Resource Consumption (Amplification)
- Description
- The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
- Typical Severity
- Medium
- Abstraction Level
- Class
Key Information
- Published Date
- March 19, 2024
