When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Affected Packages

Maven org.apache.commons:commons-compress

Affected versions: 1.7 (fixed in 1.18)

Related CVEs

CVE-2018-11771

Key Information

GHSA ID

GHSA-hrmr-f5m6-m9pq

Published

October 19, 2018 4:41 PM

Last Modified

June 5, 2024 5:11 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.commons:commons-compress

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.