CVE-2024-0450 Overview
An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython make the zipfile module reject zip archives which overlap entries in the archive.
This vulnerability represents a Denial of Service (DoS) attack vector through resource exhaustion. Attackers can craft malicious zip archives that, when processed by vulnerable Python applications, can consume excessive system resources and potentially crash the application or system.
Critical Impact
Applications using CPython's zipfile module to process untrusted zip archives are vulnerable to denial of service through quoted-overlap zip-bombs that can achieve extremely high compression ratios and exhaust system resources.
Affected Products
- CPython 3.12.1 and prior
- CPython 3.11.7 and prior
- CPython 3.10.13 and prior
- CPython 3.9.18 and prior
- CPython 3.8.18 and prior
Discovery Timeline
- March 19, 2024 - CVE-2024-0450 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-0450
Vulnerability Analysis
The vulnerability exists in CPython's zipfile module due to improper handling of zip archive structures. The "quoted-overlap" technique allows attackers to create zip archives where multiple entries reference the same compressed data with overlapping file offsets. This exploitation of the zip format specification enables the creation of zip-bombs with extraordinarily high compression ratios.
When a vulnerable Python application processes such a malicious archive, the extraction or reading process can result in massive memory consumption and CPU utilization as the same compressed data is repeatedly decompressed for what appears to be multiple distinct files. This can lead to complete system resource exhaustion and denial of service.
The attack vector is local, requiring the attacker to deliver a malicious zip file to the target system. However, many applications process user-supplied zip archives, making this vulnerability particularly dangerous for web services, file upload handlers, and automated processing systems.
Root Cause
The root cause is classified as CWE-405 (Asymmetric Resource Consumption - Amplification). The zipfile module did not validate whether zip archive entries overlap in the compressed data stream. The zip format allows specifying file offsets and sizes independently, and without proper validation, an attacker can construct archives where multiple logical files point to the same or overlapping compressed data regions, creating an asymmetric amplification between the small input archive size and the massive decompressed output.
Attack Vector
The attack requires local access to deliver a malicious zip file to the target application. The attacker crafts a specially constructed zip archive using the quoted-overlap technique, where multiple file entries in the archive's central directory reference overlapping portions of the same compressed data block.
When a vulnerable application uses Python's zipfile module to list, extract, or read the archive contents, the module processes each entry independently without detecting the overlap. This results in the same compressed data being decompressed multiple times, potentially consuming gigabytes or terabytes of memory and disk space from an archive that may only be kilobytes in size.
For more technical details on zip-bomb construction techniques, refer to the Bam Software Zip Bomb Article.
Detection Methods for CVE-2024-0450
Indicators of Compromise
- Unexpected memory exhaustion or out-of-memory errors when processing zip archives
- Disk space rapidly filling during zip extraction operations
- Python processes consuming abnormally high CPU and memory resources
- Application crashes or hangs during zip file processing operations
Detection Strategies
- Monitor Python application resource consumption patterns for anomalous spikes during file processing operations
- Implement pre-extraction analysis of zip archives to detect suspiciously high compression ratios
- Log and alert on zip extraction operations that exceed expected size thresholds
- Use file integrity monitoring to detect large numbers of extracted files from small archives
Monitoring Recommendations
- Configure resource limits for processes that handle zip file extraction
- Implement logging for all zip archive processing operations including source, size, and extraction metrics
- Monitor for Python process crashes with memory-related errors
- Set up alerts for disk space consumption anomalies in directories where zip files are extracted
How to Mitigate CVE-2024-0450
Immediate Actions Required
- Upgrade CPython to patched versions: 3.12.2+, 3.11.8+, 3.10.14+, 3.9.19+, or 3.8.19+
- Review all applications that process untrusted zip files using Python's zipfile module
- Implement resource limits and sandboxing for zip extraction processes
- Consider using alternative archive handling libraries with built-in zip-bomb protection
Patch Information
Multiple patches have been released across all supported CPython branches. The fix makes the zipfile module reject zip archives which contain overlapping entries. Organizations should update to the latest patched version for their respective Python branch.
Patch commits are available in the GitHub CPython repository. Additional information is available through the Python Security Announce Thread and the Openwall Security List Post.
Linux distribution users should apply updates from their respective package repositories:
Workarounds
- Implement file size limits and decompression ratio checks before processing zip archives
- Use containerization or sandboxing to isolate zip extraction processes with strict resource limits
- Validate zip archives with external tools that detect quoted-overlap patterns before processing with Python
- Limit the maximum number of files and total extracted size allowed from user-supplied archives
# Example: Setting resource limits for Python processes handling zip files
# Using ulimit to restrict memory for the extraction process
ulimit -v 1048576 # Limit virtual memory to 1GB
ulimit -f 524288 # Limit file size to 512MB
# Alternative: Use cgroups for more granular control
# Create a memory-limited cgroup for zip processing
cgcreate -g memory:/zip_processing
echo 1073741824 > /sys/fs/cgroup/memory/zip_processing/memory.limit_in_bytes
cgexec -g memory:zip_processing python extract_archive.py
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
