The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Affected Packages

Maven org.apache.commons:commons-compress

Affected versions: 1.15 (fixed in 1.19)

Maven io.github.1tchy.java9modular.org.apache.commons:commons-compress

Related CVEs

CVE-2019-12402

Key Information

GHSA ID

GHSA-53x6-4x5p-rrvv

Published

October 11, 2019 6:41 PM

Last Modified

June 15, 2021 5:21 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.commons:commons-compress

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.