CVE-2026-55195
Received Received - Intake

Path Traversal in py7zr Archive Extraction

Vulnerability report for CVE-2026-55195, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
py7zr py7zr to 1.1.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the py7zr Python library, which is used for handling 7zip archives. Before version 1.1.3, the Worker.decompress() function did not track the total decompressed size of archive entries. This allowed an attacker to craft a small .7z archive file that, when decompressed, would expand to a very large size, such as a 15.6 KB archive expanding to 100 MB. This could cause exhaustion of disk space or memory during extraction.

Impact Analysis

The vulnerability can lead to resource exhaustion on the system where the py7zr library is used. Specifically, extracting a maliciously crafted archive can consume excessive disk space or memory, potentially causing denial of service by exhausting system resources before the extraction process completes.

Mitigation Strategies

To mitigate this vulnerability, upgrade py7zr to version 1.1.3 or later, where the issue with decompressing crafted .7z files that can exhaust disk or memory has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart