CVE-2025-30153

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523
https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1
https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9
https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) kin-openapi es un proyecto de Go para gestionar archivos OpenAPI. Antes de la versión 0.131.0, al validar una solicitud con un esquema multipart/form-data, si el esquema OpenAPI lo permite, un atacante puede cargar un archivo ZIP manipulado (por ejemplo, una bomba ZIP), lo que provoca que el servidor consuma toda la memoria disponible del sistema. La causa principal proviene del ZipFileBodyDecoder, que el módulo registra automáticamente (al contrario de lo que indica la documentación). Esta vulnerabilidad se corrigió en la versión 0.131.0.

19 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-19 16:15

Updated : 2026-06-17 09:08

NVD link : CVE-2025-30153

Mitre link : CVE-2025-30153

CVE.ORG link : CVE-2025-30153

JSON object : View

Products Affected

No product.

CWE

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

{"id": "CVE-2025-30153", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-30153", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-19T18:24:49.750819Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "getkin", "product": "kin-openapi", "versions": [{"status": "affected", "version": "< 0.131.0"}]}]}], "published": "2025-03-19T16:15:33.607", "references": [{"url": "https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275", "source": "security-advisories@github.com"}, {"url": "https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523", "source": "security-advisories@github.com"}, {"url": "https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1", "source": "security-advisories@github.com"}, {"url": "https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9", "source": "security-advisories@github.com"}, {"url": "https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-409"}]}], "descriptions": [{"lang": "en", "value": "kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0."}, {"lang": "es", "value": "kin-openapi es un proyecto de Go para gestionar archivos OpenAPI. Antes de la versi\u00f3n 0.131.0, al validar una solicitud con un esquema multipart/form-data, si el esquema OpenAPI lo permite, un atacante puede cargar un archivo ZIP manipulado (por ejemplo, una bomba ZIP), lo que provoca que el servidor consuma toda la memoria disponible del sistema. La causa principal proviene del ZipFileBodyDecoder, que el m\u00f3dulo registra autom\u00e1ticamente (al contrario de lo que indica la documentaci\u00f3n). Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.131.0."}], "lastModified": "2026-06-17T09:08:15.600", "sourceIdentifier": "security-advisories@github.com"}