CWE-409 · Improper Handling of Highly Compressed Data (Data Amplification)
50 CVEs classified under CWE-409 (Improper Handling of Highly Compressed Data (Data Amplification)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44697 | High | 8.6 | 2026-05-29 | Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decom… |
CVE-2026-44432 | High | 7.5 | 2026-05-13 | urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) duri… |
CVE-2026-40036 | High | 7.5 | 2026-04-08 | Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. At… |
CVE-2026-1526 | High | 7.5 | 2026-03-12 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSoc… |
CVE-2026-28435 | High | 7.5 | 2026-03-04 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload… |
CVE-2025-69223 | High | 7.5 | 2026-01-05 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against… |
CVE-2024-12886 | High | 7.5 | 2025-03-20 | An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds wit… |
CVE-2024-7765 | High | 7.5 | 2025-03-20 | In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server beco… |
CVE-2025-30153 | High | 7.5 | 2025-03-19 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema al… |
CVE-2024-43499 | High | 7.5 | 2024-11-12 | .NET and Visual Studio Denial of Service Vulnerability |
CVE-2024-3572 | High | 7.5 | 2024-04-16 | The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without pro… |
CVE-2024-28101 | High | 7.5 | 2024-03-06 | The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Den… |
CVE-2022-29225 | High | 7.5 | 2022-06-09 | Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overw… |
CVE-2025-46730 | Medium | 6.8 | 2025-05-05 | MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other secu… |
CVE-2026-27460 | Medium | 6.5 | 2026-04-10 | Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnera… |
CVE-2026-40148 | Medium | 6.5 | 2026-04-09 | PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against pat… |
CVE-2026-3114 | Medium | 6.5 | 2026-03-26 | Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file ext… |
CVE-2026-25962 | Medium | 6.5 | 2026-03-06 | MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size… |
CVE-2024-55909 | Medium | 6.5 | 2025-05-02 | IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlli… |
CVE-2025-32949 | Medium | 6.5 | 2025-04-15 | This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import i… |