Improper Handling of Highly Compressed Data (Data Amplification)

CVE-2025-30153

High

7.5/10

Summary

The kin-openapi is a Go project for handling OpenAPI files. In github.com/getkin/kin-openapi package versions prior to 0.131.0, when validating a request with a "multipart/form-data" schema, if the OpenAPI schema allows it, an attacker could upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause of this issue comes from the "ZipFileBodyDecoder", which is registered automatically by the module (contrary to what the documentation states).

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

References

Advisory Timeline

Published Mar 19, 2025

Improper Handling of Highly Compressed Data (Data Amplification)

CVE-2025-30153

Summary

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS