Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3816 is a denial of service (DoS) vulnerability in OWASP DefectDojo versions up to 2.55.4. It affects the function input_zip.read in the parser.py file of the SonarQubeParser and MSDefenderParser components. The vulnerability arises because the application reads the entire uncompressed content of each file in a user-uploaded ZIP archive into memory without validating the file size or compression ratio. This allows an authenticated attacker with permission to upload findings to submit a small, highly compressed ZIP file (a "zip bomb") that decompresses to a very large size, causing excessive memory consumption.'}, {'type': 'paragraph', 'content': 'This excessive memory usage can lead to an Out-Of-Memory (OOM) crash or severe performance degradation, resulting in denial of service. The attack can be initiated remotely and does not require local access. The vulnerability is due to improper resource management (CWE-404) and is tracked under MITRE ATT&CK technique T1499 (resource exhaustion).'}, {'type': 'paragraph', 'content': 'A fix has been implemented in version 2.56.0 by introducing safer ZIP file handling functions that validate ZIP file contents before reading, preventing zip bomb attacks.'}] [1, 3, 5, 6]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing denial of service on your OWASP DefectDojo server. An attacker who can upload findings can submit a malicious ZIP file that decompresses to a very large size, causing the server to consume excessive memory.

The excessive memory consumption can lead to an Out-Of-Memory crash, causing the application process to terminate unexpectedly or severely degrade system performance and stability.

Repeated exploitation can repeatedly crash or destabilize the server, resulting in downtime and loss of availability of the DefectDojo service.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability manifests when the server processes uploaded ZIP files through the endpoints POST /product/{id}/import_scan_results and GET /product/{id}/import_scan_results, selecting either the SonarQube Scan or MSDefender Parser. An authenticated attacker with permission to upload findings can exploit this by uploading a small, highly compressed ZIP file (a zip bomb) that decompresses to a very large size, causing excessive memory consumption and potentially crashing the server.'}, {'type': 'paragraph', 'content': 'Detection can involve monitoring for unusual memory spikes or Out-Of-Memory (OOM) crashes on the server when processing ZIP file uploads. Specifically, look for high memory usage or crashes triggered by requests to the import scan results endpoints.'}, {'type': 'paragraph', 'content': 'While no explicit detection commands are provided, system administrators can use standard Linux commands to monitor memory usage and process crashes, such as:'}, {'type': 'list_item', 'content': "Use 'top' or 'htop' to monitor real-time memory usage and identify processes consuming excessive memory."}, {'type': 'list_item', 'content': "Use 'dmesg' or 'journalctl' to check for kernel OOM killer logs indicating process termination due to memory exhaustion."}, {'type': 'list_item', 'content': "Use 'ps aux --sort=-%mem' to list processes by memory usage."}, {'type': 'list_item', 'content': 'Monitor web server logs for repeated POST requests to /product/{id}/import_scan_results endpoints that may indicate attempts to upload malicious ZIP files.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for errors or crashes during ZIP file processing can help detect exploitation attempts.'}] [3, 5]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation step is to upgrade OWASP DefectDojo to version 2.56.0 or later, which includes a patch that safely handles ZIP file processing and prevents the denial of service caused by zip bomb attacks.

The patch introduces new utility functions that enforce limits on ZIP file processing, including:

• Maximum number of ZIP members: 1000
• Maximum uncompressed size per member: 512 MB
• Maximum total uncompressed size for the ZIP: 1 GB
• Maximum compression ratio (uncompressed/compressed): 100:1

These limits prevent resource exhaustion and denial of service by rejecting ZIP files that exceed safe thresholds.

Until the upgrade can be applied, consider restricting or disabling the ability for users to upload ZIP files for scan imports, or implement network-level controls to limit or inspect uploads for suspiciously compressed files.

Useful 0 Not Useful 0