CVE-2021-33196

Name of the Vulnerable Software and Affected Versions archive/zip in Go versions prior to 1.15.13 archive/zip in Go versions 1.16.x prior to 1.16.5

Description The issue is related to the lack of checking the number of files in an archive, which can be exploited by a remote attacker to cause a denial of service using a crafted archive file. Specifically, a crafted file count in an archive's header can cause a NewReader or OpenReader panic. This can lead to excessive memory allocation attempts. The problem occurs when reading an archive that claims to contain a large number of files, regardless of its actual size, potentially causing a panic or an unrecoverable fatal error.

Recommendations For archive/zip in Go versions prior to 1.15.13, update to version 1.15.13 or later. For archive/zip in Go versions 1.16.x prior to 1.16.5, update to version 1.16.5 or later. As a temporary workaround, consider restricting the use of the NewReader and OpenReader functions when dealing with archives from untrusted sources until a patch is applied.