RubySec

Providing security resources for the Ruby community

CVE-2019-16892 (rubyzip): Denial of Service in rubyzip ("zip bombs")

ADVISORIES

GEM

rubyzip

PATCHED VERSIONS

  • >= 1.3.0

DESCRIPTION

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).