CVE-2024-25710
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in commons-compress (Maven)
What is CVE-2024-25710 About?
This vulnerability involves an infinite loop in Apache Commons Compress versions 1.3 through 1.25.0, caused by a loop with an unreachable exit condition. Successful exploitation can lead to a denial-of-service, as the affected application becomes unresponsive, though exploitation typically requires an attacker to provide malformed input. It is relatively easy to exploit by crafting specific archive files.
Affected Software
Technical Details
The vulnerability resides in Apache Commons Compress where certain processing logic, particularly within archive decompression, enters a loop that lacks a viable exit condition. This infinite loop is triggered when handling specially crafted compressed data within affected versions. Upon encountering such malicious input, the program repeatedly executes the same block of code without termination, consuming CPU resources indefinitely and preventing the application from processing further requests or completing its intended function. This effectively leads to a denial-of-service condition.
What is the Impact of CVE-2024-25710?
Successful exploitation may allow attackers to cause a denial-of-service, making the affected application unresponsive and unavailable to legitimate users.
What is the Exploitability of CVE-2024-25710?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to supply specially crafted input (e.g., a malformed compressed file) to a system that processes data using the vulnerable Apache Commons Compress library. No authentication is strictly required if the application accepts untrusted input directly, or standard user privileges if uploading files. This is typically a remote attack vector, as the attacker delivers the malicious input to the target system over a network. The likelihood of exploitation increases if the application frequently processes files from untrusted sources without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-25710?
Available Upgrade Options
- org.apache.commons:commons-compress
- >1.3, <1.26.0 → Upgrade to 1.26.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240307-0010
- http://www.openwall.com/lists/oss-security/2024/02/19/1
- https://security.netapp.com/advisory/ntap-20240307-0010/
- http://www.openwall.com/lists/oss-security/2024/02/19/1
- https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf
- https://osv.dev/vulnerability/GHSA-4g9r-vxhx-9pgx
- https://github.com/apache/commons-compress
- https://nvd.nist.gov/vuln/detail/CVE-2024-25710
- https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf
What are Similar Vulnerabilities to CVE-2024-25710?
Similar Vulnerabilities: CVE-2021-38185 , CVE-2019-12402 , CVE-2019-10086 , CVE-2018-11771 , CVE-2020-17521
