Infinite Loop Vulnerability in CPython's 'zipfile' Module
CVE-2024-8088

8.7HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
22 August 2024

What is CVE-2024-8088?

The CPython zipfile module has a vulnerability affecting the zipfile.Path functions, such as namelist() and iterdir(). This flaw can result in an infinite loop when processing specially crafted zip archives, specifically during metadata reading or content extraction. Programs that do not process user-controlled zip archives remain unaffected. Developers need to be cautious when handling zip files from untrusted sources.

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/pull/122906
patch
https://github.com/python/cpython/issues/122905
issue-tracking

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jason R. Coombs
Seth Larson
JSON
.
CVE-2024-8088 : Infinite Loop Vulnerability in CPython's 'zipfile' Module