Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2024-0450

MEDIUM6.2

Quoted zip-bomb protection for zipfile

Published Mar 19, 2024

Modified 2 months ago

No fix available

Details

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

References

WEBhttp://www.openwall.com/lists/oss-security/2024/03/20/5 FIXhttps://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85 FIXhttps://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba FIXhttps://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675 FIXhttps://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51 FIXhttps://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549 FIXhttps://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183 FIXhttps://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b WEBhttps://github.com/python/cpython/issues/109858 WEBhttps://lists.debian.org/debian-lts-announce/2024/03/msg00024.html WEBhttps://lists.debian.org/debian-lts-announce/2024/03/msg00025.html WEBhttps://lists.debian.org/debian-lts-announce/2024/11/msg00005.html WEBhttps://lists.debian.org/debian-lts-announce/2024/12/msg00000.html WEBhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/WEBhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/ADVISORYhttps://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/WEBhttps://security.netapp.com/advisory/ntap-20250411-0005/WEBhttps://www.bamsoftware.com/hacks/zipbomb/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2024-0450

CVSS Analysis

CVSS v3.1

6.2

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

6.2/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness Type (CWE)

Other

Ecosystems

Timeline

PublishedMar 19, 2024

ModifiedNov 3, 2025

CVE-2024-0450 | Mondoo Vulnerability Intelligence