CVE-2024-0450 MEDIUM

CVE-2024-0450: Quoted zip-bomb protection for zipfile

Vendor Python Software Foundation
Product CPython
Weakness CWE-405
Published March 19, 2024
Last update November 3, 2025

CVSS base score

6.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Key dates

02Disclosure timeline

March 19, 2024 CVE published
November 3, 2025 Record updated