CVE-2026-55195

miurahr · py7zr

The py7zr library is susceptible to a data amplification attack due to improper handling of highly compressed 7zip archive data.

Executive summary

A vulnerability in the py7zr library allows unauthenticated attackers to trigger a denial-of-service condition via specially crafted, highly compressed archive files.

Vulnerability

The software is vulnerable to CWE-409 (Improper Handling of Highly Compressed Data), where processing malicious archives can lead to excessive resource consumption. This affects unauthenticated users who can provide input files to applications utilizing this library for decompression.

Business impact

An attacker can leverage this vulnerability to cause a denial-of-service by exhausting system resources (CPU/Memory) during the decompression of a malicious 7zip file. Given the CVSS score of 8.7, this represents a significant threat to availability for any service that processes user-uploaded archives.

Remediation

Immediate Action: Update the py7zr library to version 1.1.3 or later, which includes necessary checks to prevent data amplification attacks.

Proactive Monitoring: Monitor system resource usage (CPU and memory spikes) when the application performs file decompression tasks.

Compensating Controls: Implement file size limits and validation on all user-uploaded archives before passing them to the decompression utility.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability presents a high risk to service availability. Organizations should update to version 1.1.3 immediately and implement strict input validation to protect against resource-exhaustion attacks.