GHSA-jfmj-5v4g-7637: zipp Denial of Service vulnerability

Skip to content

Navigation Menu

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • GitHub Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-5569

zipp Denial of Service vulnerability

Moderate severity GitHub Reviewed Published Jul 9, 2024 to the GitHub Advisory Database • Updated Jul 9, 2024

Affected versions

< 3.19.1

Description

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-5569
• jaraco/zipp@fd604bd
• https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae

Published to the GitHub Advisory Database

Jul 9, 2024