CVE-2025-30153

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523
https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1
https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9
https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse

Configurations

No configuration.

History

19 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-19 16:15

Updated : 2025-03-19 16:15

NVD link : CVE-2025-30153

Mitre link : CVE-2025-30153

CVE.ORG link : CVE-2025-30153

JSON object : View

Products Affected

No product.

CWE

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

7.5 /10