CVE-2024-5569 Overview
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects.
The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding, effectively causing a denial of service condition.
Critical Impact
Applications processing untrusted zip files using the zipp or CPython zipfile modules are vulnerable to denial of service through an infinite loop condition that renders the application unresponsive.
Affected Products
- jaraco/zipp library versions prior to 3.19.1
- CPython zipfile module (affected code merged from zipp)
- Applications using zipp's Path module functions
Discovery Timeline
- 2024-07-09 - CVE CVE-2024-5569 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2024-5569
Vulnerability Analysis
This vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw exists in how the zipp library handles path processing within zip archives.
When a malformed zip file with specially crafted path entries is processed, the library enters an infinite loop condition. The vulnerability manifests when using Path module functions including joinpath, the overloaded division operator (/), and iterdir. While the infinite loop does not exhaust system memory or CPU resources aggressively, it effectively blocks the application thread from completing operations, rendering the application unresponsive.
The issue is particularly significant because the affected code from the zipp library was later merged into CPython's standard zipfile module, meaning the vulnerability affects both the third-party library and Python's built-in functionality.
Root Cause
The root cause stems from improper handling of malformed path entries within zip archives. The library failed to properly sanitize path names, allowing specially crafted entries to create conditions where path traversal operations never terminate. This occurs because the path resolution logic encounters circular or malformed path components that cause the iteration to loop indefinitely.
Attack Vector
The attack requires local access (AV:L) where an attacker must convince a victim application to process a maliciously crafted zip file. The attack has low complexity (AC:L) and requires no privileges (PR:N) or user interaction (UI:N) beyond the initial file processing. The impact is limited to availability (A:H), with no effect on confidentiality or integrity.
An attacker could exploit this vulnerability by:
- Creating a specially crafted zip file with malformed path entries
- Submitting the malicious zip file to an application that uses zipp or Python's zipfile module
- When the application processes the file using Path operations, it enters an infinite loop
super().__init__(*args, **kwargs)
-class CompleteDirs(InitializedState, zipfile.ZipFile):
+class SanitizedNames:
+ """
+ ZipFile mix-in to ensure names are sanitized.
+ """
+
+ def namelist(self):
+ return list(map(self._sanitize, super().namelist()))
+
+ @staticmethod
+ def _sanitize(name):
+ r"""
+ Ensure a relative path with posix separators and no dot names.
+
+ Modeled after
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+ but provides consistent cross-platform behavior.
+
+ >>> san = SanitizedNames._sanitize
+ >>> san('/foo/bar')
+ 'foo/bar'
+ >>> san('//foo.txt')
+ 'foo.txt'
+ >>> san('foo/.././bar.txt')
+ 'foo/bar.txt'
+ >>> san('foo../.bar.txt')
+ 'foo../.bar.txt'
Source: GitHub Commit Details
The patch introduces a SanitizedNames mix-in class that sanitizes path names by ensuring they are relative paths with POSIX separators and no problematic dot names (. and ..). This prevents the malformed paths from causing infinite loop conditions.
Detection Methods for CVE-2024-5569
Indicators of Compromise
- Application processes hanging indefinitely when processing zip files
- Increased CPU usage in threads handling zip file operations without memory growth
- Application timeouts or unresponsiveness when extracting or iterating zip archive contents
- Error logs showing incomplete zip operations that never terminate
Detection Strategies
- Monitor application threads for extended blocking operations during zip file processing
- Implement application-level watchdog timers for zip processing operations
- Review dependency manifests for zipp versions prior to 3.19.1
- Use software composition analysis (SCA) tools to identify vulnerable library versions
Monitoring Recommendations
- Configure application performance monitoring (APM) to alert on thread starvation conditions
- Set up process monitoring for applications that process user-supplied zip files
- Implement request timeout monitoring for services accepting zip file uploads
- Enable logging for zip file processing duration to establish baselines and detect anomalies
How to Mitigate CVE-2024-5569
Immediate Actions Required
- Upgrade jaraco/zipp library to version 3.19.1 or later immediately
- Audit applications to identify usage of affected zipp or zipfile Path module functions
- Implement input validation to reject potentially malformed zip files before processing
- Consider adding timeout mechanisms around zip file processing operations
Patch Information
The vulnerability was addressed in version 3.19.1 of jaraco/zipp. The fix introduces a SanitizedNames mix-in class that sanitizes path names before processing, ensuring relative paths with POSIX separators and removing problematic dot names.
For detailed patch information, refer to the GitHub Commit Details. Additional security research details are available at the Huntr Security Bounty page.
Workarounds
- Implement processing timeouts for zip file operations to prevent indefinite hangs
- Validate zip file structure and path entries before processing with zipp functions
- Isolate zip processing in separate threads or processes with resource limits
- Restrict zip file uploads to trusted sources until the library can be upgraded
# Upgrade zipp to patched version
pip install --upgrade "zipp>=3.19.1"
# Verify installed version
pip show zipp | grep Version
# Check for vulnerable versions in requirements
pip list --outdated | grep -i zipp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
