GHSA-XG43-5579-QW6V: Uncontrolled Resource Consumption (Decompression Bomb) in adawolfa/isdoc
Vulnerability ID: GHSA-XG43-5579-QW6V
CVSS Score: 7.5
Published: 2026-07-15
A high-severity vulnerability exists in the adawolfa/isdoc PHP library before versions 1.4.1 and 2.0.0. The library fails to restrict or validate the sizes of files extracted from untrusted Zip archives (.isdocx container files) or PDF embedded streams. This allows remote attackers to perform decompression bomb attacks, causing denial of service via memory or disk exhaustion.
TL;DR
Uncontrolled file extraction in adawolfa/isdoc allows remote attackers to cause denial of service via zip decompression bombs or directory traversal.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-409 (Improper Handling of Highly Compressed Data)
- Attack Vector: Network (Remote)
- CVSS Score: 7.5 (High)
- EPSS Score: 0.01
- Impact: Denial of Service (Memory/Disk Exhaustion)
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- adawolfa/isdoc PHP library (Composer package)
-
adawolfa/isdoc: < 1.4.1 (Fixed in:
1.4.1) -
adawolfa/isdoc: >= 2.0.0-alpha, < 2.0.0 (Fixed in:
2.0.0)
Code Analysis
Commit: 02a1012
Fix decompression bombs, XXE and path traversal
Commit: 935fb2a
Backport security fixes to 1.4 branch
Exploit Details
- GitHub: The regression tests in the security commit provide a functional PoC illustrating ZIP central directory forging to test the mitigation.
Mitigation Strategies
- Update the adawolfa/isdoc package to version 1.4.1, 2.0.0, or newer.
- Configure strict system memory limits and script timeouts in PHP configurations to minimize the blast radius of resource exhaustion crashes.
- Sanitize all uploaded document filenames using basename() to prevent path traversal.
- Explicitly disable external entity loading in PHP's libxml settings.
Remediation Steps:
- Run 'composer update adawolfa/isdoc' to fetch the latest secure release.
- Verify the installed version in composer.lock is either 1.4.1 or >= 2.0.0.
- Locate the code handling document uploads and apply the basename() sanitization wrapper to the supplement storage path.
- Audit any custom stream wrapper configurations to ensure remote protocols cannot bypass local size evaluations.
References
- adawolfa/isdoc Repository
- 2.x Security Patch Commit
- 1.4.x Security Patch Commit
- GitHub Security Advisory GHSA-XG43-5579-QW6V
Read the full report for GHSA-XG43-5579-QW6V on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)