High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2024-25710
HighVulnerability Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Known Affected Software
26 configuration(s) from 1 vendor(s)
cpe:2.3:a:apache:commons_compress:1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.24.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.25.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.12:*:*:*:*:*:*:*
2025-Jul-CVE-2024-25710
CVE-2024-25710: None
2024-Feb-CVE-2024-25710
CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
CPUJUL2025
Oracle Critical Patch Update Advisory - July 2025
CPUAPR2025
Oracle Critical Patch Update Advisory - April 2025
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
References & Resources
-
http://www.openwall.com/lists/oss-security/2024/02/19/1security@apache.org Mailing List Third Party Advisory
-
https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kfsecurity@apache.org Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20240307-0010/security@apache.org
-
http://seclists.org/fulldisclosure/2024/Aug/37af854a3a-2127-422b-91ae-364da2661108
-
http://www.openwall.com/lists/oss-security/2024/02/19/1af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kfaf854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20240307-0010/af854a3a-2127-422b-91ae-364da2661108
Severity Details
Weakness Type (CWE)
Loop with Unreachable Exit Condition ('Infinite Loop')
- Description
- The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- February 19, 2024
