GHSA-c3f2-qg8v-25q2

Опубликовано: 09 апр. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.7

CVSS3: 7.5

Описание

Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-h5qv-qjv4-pc5m. This link is maintained to preserve external references.

Original Description

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

Ссылки

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m
https://nvd.nist.gov/vuln/detail/CVE-2026-40036
https://github.com/RyanDFIR/unfurl/pull/243
https://github.com/RyanDFIR/unfurl/releases/tag/v2026.04
https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression

Пакеты

Наименование

dfir-unfurl

pip

Затронутые версииВерсия исправления

< 2026.04

2026.04

8.7 High

CVSS4

7.5 High

CVSS3