A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Affected Packages

Packagist moodle/moodle

Affected versions: 3.9 (fixed in 3.9.2)

Packagist moodle/moodle

Affected versions: 3.8 (fixed in 3.8.5)

Packagist moodle/moodle

Affected versions: 3.7 (fixed in 3.7.8)

Packagist moodle/moodle

Affected versions: 3.5 (fixed in 3.5.14)

Related CVEs

CVE-2020-25630

Key Information

GHSA ID

GHSA-66xp-28cq-mrf2

Published

May 24, 2022 5:35 PM

Last Modified

April 23, 2024 10:43 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

moodle/moodle

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.