This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: [security] CVE-2019-9674: Zip Bomb vulnerability
View: 36260
Assigned To: Nosy List: christian.heimes, rschiron, serhiy.storchaka, vstinner, xtreak
Priority: normal Keywords:

Created on 2020-01-15 09:57 by vstinner, last changed 2022-04-11 14:59 by admin. This issue is now closed.

File name Uploaded Description Edit vstinner, 2020-01-15 09:58 vstinner, 2020-01-15 10:00 vstinner, 2020-01-15 10:00
Messages (7)
msg360034 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 09:57
Laish, Amit (GE Digital) reported a vulnerability in the zipfile module to the PSRT list. The module is vulnerable to ZIP Bomb:

A 100 KB malicious ZIP file announces an uncompressed size of 1 byte but extracting it writes 100 MB on disk.

Python 2.7 is vulnerable.

Python 3.7 does not seem to be directly vulnerable. The proof of concept fails with:

$ python3 
The size of the uncompressed data is: 1 bytes
Traceback (most recent call last):
  File "", line 18, in <module>
    extract() # The uncompressed size is more than 20GB :)
  File "", line 6, in extract
  File "/usr/lib64/python3.7/", line 1636, in extractall
    self._extract_member(zipinfo, path, pwd)
  File "/usr/lib64/python3.7/", line 1691, in _extract_member
    shutil.copyfileobj(source, target)
  File "/usr/lib64/python3.7/", line 79, in copyfileobj
    buf =
  File "/usr/lib64/python3.7/", line 930, in read
    data = self._read1(n)
  File "/usr/lib64/python3.7/", line 1020, in _read1
  File "/usr/lib64/python3.7/", line 948, in _update_crc
    raise BadZipFile("Bad CRC-32 for file %r" %
zipfile.BadZipFile: Bad CRC-32 for file 'dummy1.txt'

The malicious ZIP file size is 100 KB. Extracting it writes dummy1.txt: 100 MB only made of a single character "0" (zero, Unicode character U+0030 or byte 0x30) repeated on 100 MB.

The original proof of concept used a 20 MB ZIP writing 20 GB on disk. It's just the same text file repeated 200 files. I created a smaller ZIP just to be able to upload it to

Attached files:

* created from modify the uncompressed size of compressed dummy1.txt
* compressed dummy1.txt, file size is 100 KB
* extract


The zipfile documentation describes "Decompression pitfalls":

The zlib.decompress() function has a max_length parameter:

See also my notes on "Archives and Zip Bomb":


unzip program of Fedora unzip-6.0-44.fc31.x86_64 package has the same vulnerability:

$ unzip 
  inflating: dummy1.txt 

$ unzip -l 
  Length      Date    Time    Name
---------  ---------- -----   ----
        1  03-12-2019 14:10   dummy1.txt
---------                     -------
        1                     1 file


According to Riccardo Schirone (Red Hat), p7zip, on the other hand, seems to use the minimum value between the header value and the file one, so it extracts only 1 byte and correctly complains about CRC failures.
msg360036 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 10:06
Amit Laish reported the exact same vulnerability to rubyzip and they released a fix for it, CVE-2019-16892.
msg360037 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 10:12
Is this issue a duplicate of bpo-36260 "[security] CVE-2019-9674: Zip Bomb vulnerability" which has been closed by documenting the issue (without touching

The zipfile documentation now contains an explicit warning against ZIP bombs:

Resources limitations

The lack of memory or disk volume would lead to decompression failed. For example, decompression bombs (aka ZIP bomb) apply to zipfile library that can cause disk volume exhaustion.

Note: bpo-36462 "CVE-2019-9674 : zip bomb vulnerability in Lib/" was closed as duplicate of bpo-36260.
msg360038 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2020-01-15 10:15
See also some discussion on regarding this class of vulnerability :
msg360045 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-01-15 12:01
Is this 2.7 only issue? I think it is too late.
msg360053 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-01-15 13:18
> Is this 2.7 only issue? I think it is too late.

I vaguely recall that Christian Heimes wrote something about Python 3 in a private email, but I cannot find this email anymore :-p In case of doubt, I marked Python 3 as affected as well.
msg361672 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2020-02-10 07:59
I close this issue as a duplicate of bpo-36260.
Date User Action Args
2022-04-11 14:59:25adminsetgithub: 83522
2020-02-10 07:59:22vstinnersetstatus: open -> closed
superseder: [security] CVE-2019-9674: Zip Bomb vulnerability
messages: + msg361672

resolution: duplicate
stage: resolved
2020-01-15 13:18:10vstinnersetmessages: + msg360053
2020-01-15 12:01:19serhiy.storchakasetmessages: + msg360045
2020-01-15 10:15:58xtreaksetnosy: + xtreak, serhiy.storchaka
messages: + msg360038
2020-01-15 10:12:31vstinnersetmessages: + msg360037
2020-01-15 10:06:21vstinnersetmessages: + msg360036
2020-01-15 10:00:52vstinnersetnosy: + christian.heimes, rschiron

title: zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size -> [security] zipfile: ZIP Bomb vulnerability, don't check announced uncompressed size
2020-01-15 10:00:34vstinnersetfiles: +
2020-01-15 10:00:24vstinnersetfiles: +
2020-01-15 09:58:21vstinnersetfiles: +
2020-01-15 09:57:18vstinnercreate