Improper Handling of Highly Compressed Data (Data Amplification)
This vulnerability occurs when software fails to safely process highly compressed data, where a small input file can trigger the creation of an extremely large amount of data during decompression, overwhelming system resources.
Often called a 'decompression bomb' or 'zip bomb,' this attack exploits the extreme compression ratios possible with formats like ZIP, XML, or PDF. A malicious actor can craft a tiny, harmless-looking file that, when processed by your application, expands to consume gigabytes of memory or disk space, leading to denial of service, crashes, or performance degradation. To prevent this, developers must implement security controls before decompression. This includes setting strict limits on the compression ratio, checking the uncompressed size from file headers before allocating memory, and using streaming decompression with quotas instead of loading entire outputs into memory at once. Treating all compressed input as untrusted and validating its potential impact is a critical step in secure file handling.
Impact: DoS: AmplificationDoS: Crash, Exit, or RestartDoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)
System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.
ID : DX-53
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.Code Example:
xml- PLOVER
- The CERT Oracle Secure Coding Standard for Java (2011)