CVE-2024-0450

Quoted zip-bomb protection for zipfile

Description

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Category

6.2
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.17%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba patch
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b patch
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 patch
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 patch
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 patch
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 patch
https://github.com/python/cpython/issues/109858 issue tracking
https://www.bamsoftware.com/hacks/zipbomb/
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/ vendor advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
http://www.openwall.com/lists/oss-security/2024/03/20/5
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675 patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
https://security.netapp.com/advisory/ntap-20250411-0005/

Frequently Asked Questions

What is the severity of CVE-2024-0450?
CVE-2024-0450 has been scored as a medium severity vulnerability.
How to fix CVE-2024-0450?
To fix CVE-2024-0450, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-0450 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-0450 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-0450?
CVE-2024-0450 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.