CVE-2021-35516: Denial of Service (DoS) vulnerability in commons-compress (Maven)

What is CVE-2021-35516 About?

This vulnerability in Compress' sevenz package leads to a Denial of Service (DoS) by causing excessive memory allocation when processing specially crafted 7Z archives. Even small malicious inputs can lead to an out-of-memory error, making services unresponsive. Exploitation is relatively easy by supplying a malformed archive.

Affected Software

org.apache.commons:commons-compress <1.21

Technical Details

The Compress library's sevenz package is vulnerable to an out-of-memory denial of service. When processing a specially crafted 7Z archive, the library can be coerced into allocating an inordinately large amount of memory, far exceeding the actual size of the input data. This behavior is typically caused by malformed metadata or headers within the 7Z archive that, when parsed, trigger an inefficient memory allocation routine. For example, an attacker could specify very large uncompressed sizes for deeply nested compressed streams or manipulate dictionary sizes. This leads to the program attempting to allocate gigabytes of memory even for a small input file, ultimately exhausting system resources and causing an out-of-memory error, thereby terminating the service that uses the library.

What is the Impact of CVE-2021-35516?

Successful exploitation may allow attackers to cause a denial of service by triggering excessive memory allocation, leading to application crashes or system unresponsiveness.

What is the Exploitability of CVE-2021-35516?

Exploiting this Denial of Service (DoS) vulnerability is of low complexity. An attacker needs to be able to supply a specially crafted 7Z archive to a service that utilizes Compress' sevenz package. There are typically no authentication or privilege requirements beyond the ability to upload or transmit an archive to the target service. This is often a remote vulnerability, as archive processing services are frequently exposed to external input. The main prerequisite is the service's use of the vulnerable sevenz package and its willingness to process untrusted 7Z archives. Risk factors include file upload services, email servers, or any application that decompresses untrusted 7Z files.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2021-35516?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

This patch adds extensive sanity checks on 7z archive structure fields—including bounds checks, size validations, and logical consistency validation—when parsing the 7z file format. By enforcing strict validation on headers, stream info, and file properties, it prevents attackers from exploiting unchecked or malformed fields to cause out-of-bounds reads/writes or DOS, thereby fixing CVE-2021-35516. This mitigates the vulnerability by ensuring all parsed fields are within safe and valid ranges, eliminating unsafe assumptions about archive integrity.

Available Upgrade Options

org.apache.commons:commons-compress
- <1.21 → Upgrade to 1.21

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-35516?

Similar Vulnerabilities: CVE-2021-35517 , CVE-2021-35515 , CVE-2021-35518 , CVE-2021-25219 , CVE-2017-1000490

CVE-2021-35516 Denial of Service (DoS) vulnerability in commons-compress (Maven)