CVE-2025-53633
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-08-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ctfer-io | chall-manager | to 0.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Chall-Manager involves the system decoding zip archives without checking the size of the decompressed content. This can lead to a zip bomb decompression attack, where a maliciously crafted zip file expands to an extremely large size, potentially overwhelming system resources. The vulnerability can be exploited without any authentication or authorization.
How can this vulnerability impact me? :
Exploiting this vulnerability can cause resource exhaustion on the system running Chall-Manager, potentially leading to denial of service or system instability. Since no authentication is required, an attacker can trigger this remotely, impacting availability and possibly disrupting services relying on Chall-Manager.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Chall-Manager to version 0.1.4 or later where the patch (commit 14042aa) has been applied. Additionally, ensure that Chall-Manager is deployed deep within your infrastructure to limit exposure, as exploitation does not require authentication or authorization.