CVE-2026-61455 in Gravinfo

Summary

by MITRE • 07/10/2026

Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract() that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a crafted ZIP archive that expands to fill available disk space, causing denial of service by exhausting storage resources.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability resides within the ZipArchiver::extract() method of Grav CMS versions prior to 2.0.1, representing a critical decompression bomb flaw that directly violates security best practices for file processing operations. This issue stems from the absence of proper bounds checking on uncompressed archive contents, allowing malicious actors to craft specially designed zip files that can exponentially expand during extraction processes. The vulnerability operates by exploiting the fundamental design flaw where the system fails to impose limits on three critical parameters including uncompressed file size, total file count, and directory nesting depth, creating an environment where arbitrary input can lead to resource exhaustion.

From a technical perspective, the flaw constitutes a classic case of insufficient resource management and inadequate input validation as categorized under CWE-400. The vulnerability allows attackers to construct zip archives that appear small in size but decompress into massive amounts of data, effectively enabling a form of storage-based denial of service attack. When the ZipArchiver::extract() function processes such malicious archives, it blindly accepts all files without enforcing reasonable constraints on the expansion ratio between compressed and uncompressed data. This behavior creates an opportunity for attackers to fill disk partitions completely by exploiting the lack of size limits on individual extracted files and overall archive contents.

The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can result in complete system compromise when combined with other attack vectors. An attacker who successfully exploits this vulnerability can cause cascading failures throughout the system by consuming all available storage space, potentially leading to application crashes, data loss, or even system-wide outages. The vulnerability is particularly dangerous because it operates at the archive extraction level where legitimate administrative operations might occur, making detection difficult and increasing the attack surface significantly.

Security practitioners should implement immediate mitigations including updating to Grav version 2.0.1 or later, which contains proper bounds checking mechanisms for archive extraction processes. Additionally, system administrators should consider implementing disk space monitoring and automatic cleanup procedures as defensive measures. The vulnerability aligns with ATT&CK technique T1499.001 for denial of service through resource exhaustion, and represents a failure to implement proper input sanitization and resource limiting as recommended in secure coding practices. Organizations using Grav CMS should also review their backup and recovery procedures to ensure they can quickly restore systems that might become compromised by such attacks, while implementing network-level restrictions on file upload operations to limit potential attack vectors.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!