CVE-2025-63914
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-12-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cinnamon | kotaemon | 0.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cinnamon kotaemon 0.11.0 where the _may_extract_zip function does not validate the contents of uploaded ZIP files. An attacker with file upload permissions can upload a ZIP bomb, which, when decompressed, causes excessive resource consumption on the server. Although the temporary extraction folder is cleared before each extraction, the extracted data can still occupy disk space if no further files are uploaded, potentially making the system unavailable.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service by exhausting server resources during decompression of a ZIP bomb. It can also cause disk space exhaustion if the extracted data remains, potentially rendering the system unavailable and disrupting normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, restrict or carefully control file upload permissions to prevent unauthorized users from uploading ZIP files. Monitor and limit resource usage during ZIP file extraction to avoid excessive consumption. Additionally, implement checks on uploaded ZIP files to detect and block ZIP bombs before extraction. Regularly clear temporary extraction folders and monitor disk space to prevent system unavailability.