CVE-2025-30153

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions kin-openapi versions prior to 0.131.0

Description The issue arises when validating a request with a multipart/form-data schema. If the OpenAPI schema allows it, an attacker can upload a crafted ZIP file, such as a ZIP bomb, causing the server to consume all available system memory. The root cause is attributed to the ZipFileBodyDecoder, which is registered automatically by the module.

Recommendations For versions prior to 0.131.0, update to version 0.131.0 to resolve the issue. As a temporary workaround, consider disabling the ZipFileBodyDecoder function until a patch is available. Restrict access to the multipart/form-data schema to minimize the risk of exploitation. Avoid using the ZipFileBodyDecoder in the affected API endpoint until the issue is resolved.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409

Related Identifiers

CLEANSTART-2026-AC01087

CLEANSTART-2026-NX54250

CLEANSTART-2026-UD70996

CVE-2025-30153

ECHO-0336-B3F9-6A96

GHSA-WQ9G-9VFC-CFQ9

GO-2025-3533

OPENSUSE-SU-2025:14937-1

OPENSUSE-SU-2026:10731-1

OPENSUSE-SU-2026:20788-1

SUSE-SU-2026:21756-1

SUSE-SU-2026:21827-1

Affected Products

Kin-Openapi

CVE-2025-30153

Weakness Enumeration

Related Identifiers

Affected Products

References · 99