CVE-2019-9674 in Python
Summary
by MITRE
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/22/2025
The vulnerability identified as CVE-2019-9674 resides within Python's standard library implementation of zipfile.py, specifically affecting Python versions through 3.7.2. This flaw represents a classic resource exhaustion attack vector that exploits the decompression process of maliciously crafted archive files. The vulnerability enables remote attackers to craft specially designed ZIP files that, when processed by Python's zipfile module, consume excessive system resources leading to denial of service conditions. The ZIP bomb technique leverages the fundamental property of compressed data where a small file can decompress to an enormous size, creating a scenario where system memory and processing power are rapidly consumed during the extraction process.
The technical implementation of this vulnerability stems from insufficient input validation and resource limitation checks within the zipfile module's decompression routines. When Python attempts to read and extract contents from a malformed ZIP archive, the decompression algorithm processes compressed data without adequate safeguards against exponential expansion ratios. Attackers can construct ZIP files containing files with extremely high compression ratios, where a few kilobytes of compressed data can decompress to gigabytes or even terabytes of uncompressed data. The vulnerability manifests during the extraction process when Python's zipfile.py attempts to allocate memory for decompressed content, leading to system resource exhaustion that can cause the application to crash or become unresponsive.
From an operational perspective, this vulnerability poses significant risks to systems that process untrusted ZIP files, particularly web applications, file upload services, and automated processing systems. The impact extends beyond simple denial of service as it can affect entire system stability, potentially causing cascading failures in applications that rely on Python's zipfile functionality. Systems handling user-uploaded content, automated file processing pipelines, and network services that accept ZIP archives are particularly vulnerable. The attack can be executed remotely without requiring authentication or specialized privileges, making it an attractive vector for attackers seeking to disrupt services. This vulnerability aligns with CWE-400, which catalogs weaknesses related to resource exhaustion, and represents a specific implementation flaw in the Python standard library that affects numerous applications using zipfile operations.
The mitigation strategies for CVE-2019-9674 involve multiple layers of defense to protect against ZIP bomb attacks. The primary recommendation is to upgrade to Python versions 3.7.3 or later where this vulnerability has been addressed through enhanced input validation and resource consumption limits. Organizations should implement additional protective measures including setting maximum file size limits for decompressed content, implementing time-based resource consumption monitoring, and establishing memory allocation caps during decompression operations. Network-level protections such as rate limiting and content inspection can help detect and prevent malicious ZIP files from reaching vulnerable applications. Application developers should also consider implementing custom validation routines that check compression ratios and enforce reasonable limits on file expansion during ZIP processing, aligning with ATT&CK technique T1499.001 which covers network denial of service attacks. Security teams should conduct regular vulnerability assessments to identify systems running affected Python versions and implement comprehensive monitoring to detect unusual resource consumption patterns that might indicate ZIP bomb attacks.