Description

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.

INFO

Published Date :

2025-03-19T16:03:26.947Z

Last Modified :

2025-03-19T18:25:11.787Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-30153 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-30153.

URL Resource
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275 cve-icon cve-icon cve-icon
https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523 cve-icon cve-icon cve-icon
https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1 cve-icon cve-icon cve-icon
https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 cve-icon cve-icon cve-icon
https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-30153 cve-icon
https://pkg.go.dev/vuln/GO-2025-3533 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-30153 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact