Resource Exhaustion Vulnerability in Cinnamon kotaemon by Cinnamon
CVE-2025-63914

6.5MEDIUM

Key Information:

Vendor: Cinnamon
Status: kotaemon
Vendor: CVE Published:; 24 November 2025

What is CVE-2025-63914?

A vulnerability exists in the Cinnamon kotaemon version 0.11.0 related to the _may_extract_zip function in the ui.py file. This vulnerability allows unauthorized users to upload ZIP files without proper content validation. While the server attempts to clear any extracted data in temporary folders after each extraction, an attacker can exploit this by uploading a specially crafted ZIP bomb. Such an attack may unnecessarily consume server resources during the decompression process, leading to potential service interruptions and excessive disk space occupation. This vulnerability poses a risk to system availability and can be exploited by any user with file upload permissions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/Cinnamon/kotaemon

https://github.com/WxDou/CVE-2025-63914

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Oct 27, 2025

JSON

Cinnamon

What is CVE-2025-63914?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.