What is CVE-2025-30153?

CVE-2025-30153 is a high-severity vulnerability in Getkin Kin-openapi, classified under Improper Handling of Highly Compressed Data (Data Amplification). CVSS score: 7.5/10. Published 2025-03-19.

How severe is CVE-2025-30153?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Getkin Kin-openapi

CVE-2025-30153

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing t…

EPSS: 0.001 (27.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Getkin Kin-openapi — versions < 0.131.0

Weakness classification (CWE)

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)

References

https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 (x_refsource_CONFIRM)
https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1 (x_refsource_MISC)
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275 (x_refsource_MISC)
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523 (x_refsource_MISC)
https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-30153?: CVE-2025-30153 is a high-severity vulnerability in Getkin Kin-openapi, classified under Improper Handling of Highly Compressed Data (Data Amplification). CVSS score: 7.5/10. Published 2025-03-19.
How severe is CVE-2025-30153?: High severity. CVSS v3 base score is 7.5 out of 10.