CVE-2024-53992

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-53992
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53992.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-53992
Aliases
  • GHSA-34cg-7f8c-fm5h
Published
2024-12-02T17:03:22Z
Modified
2025-10-15T18:16:11.812142Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
unzip-bot Allows Remote Code Execution (RCE) via archive extraction, password prompt, or video upload
Details

unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This vulnerability is fixed in 7.0.3a.

References

Affected packages

Git / github.com/EDM115/unzip-bot

Affected ranges

Type
GIT
Repo
https://github.com/EDM115/unzip-bot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e9889a954f60593f84051d9053bcab4d05ee0df7

Affected versions

2.*

2.0

3.*

3.0

4.*

4.0
4.5

5.*

5.0

6.*

6.0
6.2
6.3
6.3.2
6.3.3

7.*

7.0.0a
7.0.0a-herokufix

Git / github.com/EDM115/unzip-bot

Affected ranges

Type
GIT
Repo
https://github.com/EDM115/unzip-bot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e9889a954f60593f84051d9053bcab4d05ee0df7

Affected versions

2.*

2.0

3.*

3.0

4.*

4.0
4.5

5.*

5.0

6.*

6.0
6.2
6.3
6.3.2
6.3.3

7.*

7.0.0a
7.0.0a-herokufix