Decompression Bomb High

Decompression bombs are maliciously crafted compressed files designed to decompress to an extremely large size. If compressed data from an untrusted source is decompressed without limiting the size, it can exhaust server memory or disk space and cause denial of service. Common decompression libraries in Go such as gzip, zlib, bzip2, flate, etc. do not restrict the size of decompressed data. Failure to use io.LimitReader or another size limit when decompressing untrusted data is a vulnerability that can be exploited with decompression bombs.

Detector ID
go/decompression-bomb@v1.0
Category
Common Weakness Enumeration (CWE) external icon