CVE-2025-30153 Information
Description
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0 when validating a request with a multipart/form-data schema if the OpenAPI schema allows it an attacker can upload a crafted ZIP file (e.g. a ZIP bomb) causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.
Reference
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275 https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523 https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1 https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse
Share on: