DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XG43-5579-QW6V: GHSA-XG43-5579-QW6V: Uncontrolled Resource Consumption (Decompression Bomb) in adawolfa/isdoc

GHSA-XG43-5579-QW6V: Uncontrolled Resource Consumption (Decompression Bomb) in adawolfa/isdoc

Vulnerability ID: GHSA-XG43-5579-QW6V
CVSS Score: 7.5
Published: 2026-07-15

A high-severity vulnerability exists in the adawolfa/isdoc PHP library before versions 1.4.1 and 2.0.0. The library fails to restrict or validate the sizes of files extracted from untrusted Zip archives (.isdocx container files) or PDF embedded streams. This allows remote attackers to perform decompression bomb attacks, causing denial of service via memory or disk exhaustion.

TL;DR

Uncontrolled file extraction in adawolfa/isdoc allows remote attackers to cause denial of service via zip decompression bombs or directory traversal.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-409 (Improper Handling of Highly Compressed Data)
  • Attack Vector: Network (Remote)
  • CVSS Score: 7.5 (High)
  • EPSS Score: 0.01
  • Impact: Denial of Service (Memory/Disk Exhaustion)
  • Exploit Status: Proof-of-Concept Available
  • KEV Status: Not Listed

Affected Systems

  • adawolfa/isdoc PHP library (Composer package)
  • adawolfa/isdoc: < 1.4.1 (Fixed in: 1.4.1)
  • adawolfa/isdoc: >= 2.0.0-alpha, < 2.0.0 (Fixed in: 2.0.0)

Code Analysis

Commit: 02a1012

Fix decompression bombs, XXE and path traversal

Commit: 935fb2a

Backport security fixes to 1.4 branch

Exploit Details

  • GitHub: The regression tests in the security commit provide a functional PoC illustrating ZIP central directory forging to test the mitigation.

Mitigation Strategies

  • Update the adawolfa/isdoc package to version 1.4.1, 2.0.0, or newer.
  • Configure strict system memory limits and script timeouts in PHP configurations to minimize the blast radius of resource exhaustion crashes.
  • Sanitize all uploaded document filenames using basename() to prevent path traversal.
  • Explicitly disable external entity loading in PHP's libxml settings.

Remediation Steps:

  1. Run 'composer update adawolfa/isdoc' to fetch the latest secure release.
  2. Verify the installed version in composer.lock is either 1.4.1 or >= 2.0.0.
  3. Locate the code handling document uploads and apply the basename() sanitization wrapper to the supplement storage path.
  4. Audit any custom stream wrapper configurations to ensure remote protocols cannot bypass local size evaluations.

References


Read the full report for GHSA-XG43-5579-QW6V on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)