CVE-2024-0450

MEDIUM

Published 2024-03-19T15:12:07.789Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-0450. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.2

/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.002

probability

of exploitation in the wild

There is a 0.2% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.393

Higher than 39.3% of all CVEs

Attack Vector Metrics

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Description

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Python Software Foundation

CPython

Affected Versions:

0 3.9.0 3.10.0 3.11.0 3.12.0 3.13.0a1

python

cpython

Affected Versions:

0 3.9.18 3.10.13 3.11.7 3.12.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-jm46-725r-hh9v

Advisory Details

An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-0450

WEB https://github.com/python/cpython/issues/109858

WEB https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85

WEB https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba

WEB https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51

WEB https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549

WEB https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183

WEB https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b

WEB https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html

WEB https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html

WEB https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG

WEB https://www.bamsoftware.com/hacks/zipbomb

Advisory provided by GitHub Security Advisory Database. Published: March 19, 2024, Modified: March 25, 2024

References

https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba

https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b

https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549

https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85

https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51

https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183

https://github.com/python/cpython/issues/109858

https://www.bamsoftware.com/hacks/zipbomb/

https://mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/

https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html

https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html

http://www.openwall.com/lists/oss-security/2024/03/20/5

https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675

https://lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/

Published: 2024-03-19T15:12:07.789Z

Last Modified: 2025-04-11T22:03:14.930Z

Copied to clipboard!

CVE-2024-0450

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

CPython

Affected Versions:

cpython

Affected Versions:

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!