Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-61728

Summary
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
Published At-28 Jan, 2026 | 19:30
Updated At-29 Jan, 2026 | 18:30
Rejected At-
Credits

Excessive CPU consumption when building archive index in archive/zip

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Go
Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc
Published At:28 Jan, 2026 | 19:30
Updated At:29 Jan, 2026 | 18:30
Rejected At:
â–¼CVE Numbering Authority (CNA)
Excessive CPU consumption when building archive index in archive/zip

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected Products
Vendor
Go standard library
Product
archive/zip
Collection URL
https://pkg.go.dev
Package Name
archive/zip
Program Routines
  • Reader.initFileList
  • Reader.Open
Default Status
unaffected
Versions
Affected
  • From 0 before 1.24.12 (semver)
  • From 1.25.0 before 1.25.6 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-407: Inefficient Algorithmic Complexity
Type: N/A
CWE ID: N/A
Description: CWE-407: Inefficient Algorithmic Complexity
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Jakub Ciolek
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/cl/736713
N/A
https://go.dev/issue/77102
N/A
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
N/A
https://pkg.go.dev/vuln/GO-2026-4342
N/A
Hyperlink: https://go.dev/cl/736713
Resource: N/A
Hyperlink: https://go.dev/issue/77102
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2026-4342
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/01/15/4
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/15/4
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@golang.org
Published At:28 Jan, 2026 | 20:16
Updated At:06 Feb, 2026 | 18:45

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CPE Matches
Go
golang
>>go>>Versions before 1.24.12(exclusive)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Go
golang
>>go>>Versions from 1.25.0(inclusive) to 1.25.6(exclusive)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Primarynvd@nist.gov
CWE ID: CWE-770
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://go.dev/cl/736713security@golang.org
Patch
https://go.dev/issue/77102security@golang.org
Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUcsecurity@golang.org
Release Notes
https://pkg.go.dev/vuln/GO-2026-4342security@golang.org
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/15/4af854a3a-2127-422b-91ae-364da2661108
Exploit
Mailing List
Third Party Advisory
Hyperlink: https://go.dev/cl/736713
Source: security@golang.org
Resource:
Patch
Hyperlink: https://go.dev/issue/77102
Source: security@golang.org
Resource:
Patch
Hyperlink: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Source: security@golang.org
Resource:
Release Notes
Hyperlink: https://pkg.go.dev/vuln/GO-2026-4342
Source: security@golang.org
Resource:
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/15/4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Mailing List
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

68Records found
CVE-2020-0353
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 52.64%
||
7 Day CHG~0.00%
Published-17 Sep, 2020 | 20:57
Updated-04 Aug, 2024 | 05:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In libmp4extractor, there is a possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-124777526

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-20
Improper Input Validation
CVE-2023-5371
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 15.59%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 16:01
Updated-27 Mar, 2026 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Allocation with Excessive Size Value in Wireshark

RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file

Action-Not Available
Vendor-Wireshark Foundation
Product-wiresharkWireshark
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-4578
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 28.84%
||
7 Day CHG~0.00%
Published-11 Sep, 2023 | 08:01
Updated-18 Dec, 2025 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception

When calling `JS::CheckRegExpSyntax` a Syntax Error could have been set which would end in calling `convertToRuntimeErrorAndClear`. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error. This vulnerability affects Firefox < 117, Firefox ESR < 115.2, and Thunderbird < 115.2.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20015
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 68.93%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 00:14
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_LWPOLYLINE_private in dwg.spec.

Action-Not Available
Vendor-n/aGNUopenSUSE
Product-libredwgbackports_sleleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20009
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 68.25%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 00:15
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_SPLINE_private in dwg.spec.

Action-Not Available
Vendor-n/aGNUopenSUSE
Product-libredwgbackports_sleleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.90%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 01:11
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An attempted excessive memory allocation was discovered in Mat_VarRead5 in mat5.c in matio 1.5.17.

Action-Not Available
Vendor-matio_projectn/a
Product-mation/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-20012
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 68.93%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 00:15
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GNU LibreDWG 0.92. Crafted input will lead to an attempted excessive memory allocation in dwg_decode_HATCH_private in dwg.spec.

Action-Not Available
Vendor-n/aGNUopenSUSE
Product-libredwgbackports_sleleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-19958
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 62.83%
||
7 Day CHG~0.00%
Published-24 Dec, 2019 | 21:58
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In libIEC61850 1.4.0, StringUtils_createStringFromBuffer in common/string_utilities.c has an integer signedness issue that could lead to an attempted excessive memory allocation and denial of service.

Action-Not Available
Vendor-mz-automationn/a
Product-libiec61850n/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-681
Incorrect Conversion between Numeric Types
CVE-2019-20013
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 68.25%
||
7 Day CHG~0.00%
Published-27 Dec, 2019 | 00:14
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GNU LibreDWG before 0.93. Crafted input will lead to an attempted excessive memory allocation in decode_3dsolid in dwg.spec.

Action-Not Available
Vendor-n/aGNUopenSUSE
Product-libredwgbackports_sleleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-33720
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.55%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 00:00
Updated-14 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4BytesProperty.

Action-Not Available
Vendor-mp4v2_projectn/a
Product-mp4v2n/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-2134
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-0.28% / 51.08%
||
7 Day CHG~0.00%
Published-20 Jun, 2022 | 00:00
Updated-03 Aug, 2024 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in inventree/inventree

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.

Action-Not Available
Vendor-inventree_projectinventree
Product-inventreeinventree/inventree
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-7704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 54.24%
||
7 Day CHG~0.00%
Published-10 Feb, 2019 | 22:00
Updated-04 Aug, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wasm::WasmBinaryBuilder::readUserSection in wasm-binary.cpp in Binaryen 1.38.22 triggers an attempt at excessive memory allocation, as demonstrated by wasm-merge and wasm-opt.

Action-Not Available
Vendor-webassemblyn/a
Product-binaryenn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-13112
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.30% / 53.56%
||
7 Day CHG~0.00%
Published-30 Jun, 2019 | 00:00
Updated-04 Aug, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to an std::bad_alloc exception) via a crafted PNG image file.

Action-Not Available
Vendor-n/aCanonical Ltd.Exiv2Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxexiv2debian_linuxfedoran/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-12406
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-4.13% / 88.71%
||
7 Day CHG~0.00%
Published-06 Nov, 2019 | 20:07
Updated-04 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Action-Not Available
Vendor-n/aThe Apache Software FoundationOracle Corporation
Product-cxfretail_order_brokercommerce_guided_searchflexcube_private_bankingApache CXF
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55199
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 4.19%
||
7 Day CHG~0.00%
Published-13 Aug, 2025 | 23:23
Updated-21 Aug, 2025 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero.

Action-Not Available
Vendor-helmhelm
Product-helmhelm
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-32035
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 42.00%
||
7 Day CHG~0.00%
Published-15 Apr, 2024 | 19:59
Updated-09 Jan, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Allocation with Excessive Size Value in SixLabors.ImageSharp

ImageSharp is a 2D graphics API. A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in image decoders. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw. This flaw can be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on ImageSharp for image processing tasks. Users and administrators are advised to update to the latest version of ImageSharp that addresses this vulnerability to mitigate the risk of exploitation. The problem has been patched in v3.1.4 and v2.1.8.

Action-Not Available
Vendor-sixlaborsSixLaborssixlabors
Product-imagesharpImageSharpimagesharp
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-28863
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 70.91%
||
7 Day CHG~0.00%
Published-21 Mar, 2024 | 22:10
Updated-16 Dec, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Action-Not Available
Vendor-isaacsisaacsnode-tar_project
Product-tarnode-tarnode-tar
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-22436
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.23%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 18:50
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security vulnerability in HPE IceWall Agent products could be exploited remotely to cause a denial of service.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-IceWall Gen11, IceWall SSO Agent
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • Next
Details not found