PT-2026-31471

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server...

Keycloak: Denial of Service due to excessive SAMLRequest decompression

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service DoS by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryErro...

undici 安全漏洞

Undici is an open-source HTTP/1.1 client developed by Node.js. Undici has a security vulnerability that stems from unlimited memory consumption during the decompression of permessage-deflate. This vulnerability could allow malicious WebSocket servers to send small compressed frames, causing the...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification via the SAMLRequest DEFLATE decompression. An...

Denial Of Service (DoS)

authlib is vulnerable to Denial Of Service. The vulnerability is due to unbounded DEFLATE decompression in the JWE zip=DEF processing path, where a very small ciphertext can expand into extremely large plaintext during token decryption, and attackers can exploit this by supplying decryptable toke...

CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

DEBIAN-CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

Authlib 安全漏洞

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.5, which stems from the JWE zip=DEF path executing an unrestricted DEFLATE decompression, which could lead to memory and C...

Authlib : JWE zip=DEF decompression bomb enables DoS

Summary Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. Details - Affected component...

GHSA-G8VQ-V3MG-7MRG Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form

A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service DOS condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restorepreferences form. This leads to excessive memory consumption and potential system instability,...

Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form

A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service DOS condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restorepreferences form. This leads to excessive memory consumption and potential system instability,...

CVE-2025-30160 Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form

Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service DOS condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restorepreferences form. This leads to excessive...

Redlib 代码问题漏洞

Redlib is a private front-end for Reddit open-sourced by Redlib. A code issue vulnerability exists in Redlib versions prior to 0.36.0 that stems from an attacker being able to cause a denial of service by submitting a specially crafted base2048-encoded DEFLATE decompression bomb that consumes a...

CVE-2023-28119 crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of flate.NewReader does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be...

GO-2023-1602 Denial of service via deflate decompression bomb in github.com/russellhaering/gosaml2

A bug in SAML authentication library can result in Denial of Service attacks. Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process bein...

K15893: Apache HTTP server vulnerabilities CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, and CVE-2014-3523

Security Advisory Description CVE-2014-0117 The modproxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service child-process crash via a crafted HTTP Connection header. CVE-2014-0118 The deflateinfilter function...