Lucene search
K

160 matches found

NVD
NVD
added yesterday4 views

CVE-2026-49855

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an...

7.5CVSS0.00052EPSS
Exploits0References3
CVE
CVE
added yesterday22 views

CVE-2026-49855

Tornado (Python) prior to 6.5.6 allows a malicious server accessed via SimpleAsyncHTTPClient or an HTTPServer with decompress_request=True to accumulate decompressed data without an overall size limit, potentially causing memory exhaustion. Affected is gzip decompression routines that previously ...

7.5CVSS6.1AI score0.00052EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 9:24 p.m.36 views

CVE-2026-44160 Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...

7.5CVSS0.0062EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 8:16 p.m.6 views

CVE-2026-59803

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...

8.7CVSS0.00408EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/08 7:42 p.m.37 views

CVE-2026-59803 rpcx - Denial of Service via Gzip Decompression Bomb in Wire Protocol

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...

8.7CVSS0.00408EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/08 7:42 p.m.6 views

EUVD-2026-42372

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...

8.7CVSS6AI score0.00408EPSS
Exploits0References4
OSV
OSV
added 2026/07/08 7:42 p.m.3 views

CVE-2026-59803 rpcx - Denial of Service via Gzip Decompression Bomb in Wire Protocol

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode protocol/message.go. When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in siz...

8.7CVSS6.1AI score0.00408EPSS
Exploits0References7
OSV
OSV
added 2026/07/07 3:26 p.m.5 views

GO-2026-5778 Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic in github.com/sigstore/rekor

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic in github.com/sigstore/rekor...

5.9AI score
Exploits0References1
OSV
OSV
added 2026/06/26 4:35 p.m.3 views

GHSA-J9CW-HWQF-85W7 Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd's inhttp and inforward plugins support receiving gzip-compressed data. While Fluentd correctly enforces size limits on the incoming compressed payloads e.g., via bodysizelimit or chunksizelimit, it was discovered that there is no limit enforced on the size of the decompressed data. If a...

7.5CVSS5.8AI score0.0062EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.64 views

PT-2026-53004

Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3 Description The in http and in forward plugins support gzip-compressed data but only enforce size limits on the compressed payloads via settings like body size limit and chunk size limit. Because no limit is...

7.5CVSS7.1AI score0.0062EPSS
Exploits0References15
OSV
OSV
added 2026/06/24 1:13 p.m.12 views

OESA-2026-2728 python-tornado security update

Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear...

7.7CVSS5.8AI score0.00052EPSS
Exploits0References4
OSV
OSV
added 2026/06/24 1:13 p.m.7 views

OESA-2026-2727 python-tornado security update

Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear...

7.7CVSS5.8AI score0.00052EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/19 12:0 a.m.10 views

Python Library Tornado < 6.5.6 Multiple Vulnerabilities

The version of the Tornado Python library installed on the remote host is prior to 6.5.6. It is, therefore, affected by multiple vulnerabilities: - When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes...

7.7CVSS5.9AI score0.00052EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 11:16 p.m.15 views

CVE-2026-53430

Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...

8.7CVSS0.00348EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/15 9:55 p.m.8 views

EUVD-2026-37014

Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...

8.7CVSS5.4AI score0.00348EPSS
Exploits0References4
OSV
OSV
added 2026/06/15 9:55 p.m.4 views

CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.e...

8.7CVSS7.2AI score0.00348EPSS
Exploits0References9
OSV
OSV
added 2026/06/15 9:55 p.m.9 views

EEF-CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

Summary Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex,...

8.7CVSS5.5AI score0.00348EPSS
Exploits0References3
OSV
OSV
added 2026/06/15 8:19 p.m.8 views

GHSA-MGF9-4VPG-HJ56 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...

7.5CVSS5.4AI score0.00052EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/09 11:18 a.m.34 views

Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing

A flaw was found in Pillow, a Python imaging library. This vulnerability allows a remote attacker to trigger a denial of service DoS by providing a specially crafted FITS image file. The library's failure to limit the amount of GZIP-compressed data during decoding can lead to unbounded memory...

8.7CVSS7.2AI score0.00671EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.14 views

PT-2026-49535

Name of the Vulnerable Software and Affected Versions elixir-grpc versions 0.4.0 through 0.9.x Description Improper handling of highly compressed data in the GRPC.Compressor.Gzip and GRPC.Message modules allows a denial of service via a gzip decompression bomb. The function decompress/1 in...

8.7CVSS5.3AI score0.00348EPSS
Exploits0References8
Rows per page
Query Builder