From c9a49eeb7b76a7b272a899dd27f51454b89ac80e Mon Sep 17 00:00:00 2001 From: julianladisch <533612+julianladisch@users.noreply.github.com> Date: Mon, 13 Jul 2026 19:59:16 +0200 Subject: [PATCH] Improve GHSA-xcpc-8h2w-3j85 --- .../GHSA-xcpc-8h2w-3j85.json | 37 +++++++++++++++++-- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/advisories/unreviewed/2026/07/GHSA-xcpc-8h2w-3j85/GHSA-xcpc-8h2w-3j85.json b/advisories/unreviewed/2026/07/GHSA-xcpc-8h2w-3j85/GHSA-xcpc-8h2w-3j85.json index 69fd11f4ceb53..97ec01081b828 100644 --- a/advisories/unreviewed/2026/07/GHSA-xcpc-8h2w-3j85/GHSA-xcpc-8h2w-3j85.json +++ b/advisories/unreviewed/2026/07/GHSA-xcpc-8h2w-3j85/GHSA-xcpc-8h2w-3j85.json @@ -1,19 +1,40 @@ { "schema_version": "1.4.0", "id": "GHSA-xcpc-8h2w-3j85", - "modified": "2026-07-10T21:32:28Z", + "modified": "2026-07-10T21:33:30Z", "published": "2026-07-10T18:32:19Z", "aliases": [ "CVE-2026-39244" ], - "details": "adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.", + "summary": "adm-zip: Crafted ZIP file triggers 4GB memory allocation", + "details": "adm-zip before 0.6.0 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "adm-zip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.6.0" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", @@ -23,10 +44,18 @@ "type": "WEB", "url": "https://github.com/cthackers/adm-zip/issues/568" }, + { + "type": "WEB", + "url": "https://github.com/cthackers/adm-zip/commit/2450dcf417aa29df49270237d18c5245794da3e2" + }, { "type": "WEB", "url": "https://github.com/cthackers/adm-zip" }, + { + "type": "WEB", + "url": "https://github.com/cthackers/adm-zip/releases" + }, { "type": "WEB", "url": "https://www.npmjs.com/package/adm-zip" @@ -34,7 +63,7 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-789" ], "severity": "HIGH", "github_reviewed": false,