Commons Compress – Commons Compress Security Reports

General Information

For information about reporting or asking questions about security problems, please see the security page of the Commons project.

Apache Commons Compress Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Commons Compress. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Compress the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Compress version that you are using.

If you need help on building Commons Compress or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Compress Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache Commons Compress 1.26.0

Important: Denial of Service CVE-2024-25710

This affects version 1.3 through 1.25.0.

This denial of service is caused by an infinite loop reading a corrupted DUMP file.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Credit to Yakov Shafranovich, Amazon Web Services (reporter).

Moderate: Denial of Service CVE-2024-26308

You can get an OutOfMemoryError unpacking a broken Pack200 file.

This issue affects Commons Compress 1.21 before 1.26.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Credit to Yakov Shafranovich, Amazon Web Services (reporter).

Fixed in Apache Commons Compress 1.24.0

Moderate: Denial of Service CVE-2023-42503

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.

This issue affects Apache Commons Compress: from 1.22 before 1.24.0.

Users are recommended to upgrade to version 1.24.0, which fixes the issue.

A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.

In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612^[1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period^[2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.

Parsing of these numbers uses the BigDecimal^[3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193^[4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098^[5].

Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.

Fixed in Apache Commons Compress 1.21

Low: Denial of Service CVE-2021-35515

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

This was fixed in revision 3fe6b42.

This issue was discovered by OSS Fuzz.

Affects: 1.6 - 1.20

Low: Denial of Service CVE-2021-35516

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

This was fixed in revisions 26924e9, c51de6c, 0aba8b8, 60d551a, bf5a534, 5761493, and ae2b27c .

This issue was first reported to the project's issue tracker as COMPRESS-542 by Robin Schimpf. Later OSS Fuzz detected ways to exploit this issue which managed to escape the initial attempt to fix it.

Affects: 1.6 - 1.20

Low: Denial of Service CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

This was fixed in revisions d0af873, 7ce1b07 and 80124dd.

This issue was discovered by OSS Fuzz.

Affects: 1.1 - 1.20

Low: Denial of Service CVE-2021-36090

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

This was fixed in revisions ef5d70b and 80124dd.

This issue was discovered by OSS Fuzz.

Affects: 1.0 - 1.20

Fixed in Apache Commons Compress 1.19

Low: Denial of Service CVE-2019-12402

The file name encoding algorithm used internally in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

This was fixed in revision 4ad5d80a.

This was first reported to the Commons Security Team on 22 August 2019 and made public on 27 August 2019.

Affects: 1.15 - 1.18

Fixed in Apache Commons Compress 1.18

Low: Denial of Service CVE-2018-11771

When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package

This was fixed in revision a41ce68.

This was first reported to the Security Team on 14 June 2018 and made public on 16 August 2018.

Affects: 1.7 - 1.17

Fixed in Apache Commons Compress 1.16

Low: Denial of Service CVE-2018-1324

A specially crafted ZIP archive can be used to cause an infinite loop inside of Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes. This can be used to mount a denial of service attack against services that use Compress' zip package.

This was fixed in revision 2a2f1dc4.

This was first reported to the project's JIRA on 19 December 2017.

Affects: 1.11 - 1.15

Fixed in Apache Commons Compress 1.4.1

Low: Denial of Service CVE-2012-2098

The bzip2 compressing streams in Apache Commons Compress internally use sorting algorithms with unacceptable worst-case performance on very repetitive inputs. A specially crafted input to Compress' BZip2CompressorOutputStream can be used to make the process spend a very long time while using up all available processing time effectively leading to a denial of service.

This was fixed in revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.

This was first reported to the Security Team on 12 April 2012 and made public on 23 May 2012.

Affects: 1.0 - 1.4

Errors and Omissions

Please report any errors or omissions to the dev mailing list.