CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
扩展描述
An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
常见后果
影响范围: Availability
技术影响: DoS: Amplification DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory)
说明: System resources, CPU and memory, can be quickly consumed. This can lead to poor system performance or system crash.
观察示例
参考: CVE-2009-1955
XML bomb in web server module
参考: CVE-2003-1564
Parsing library allows XML bomb
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Data Amplification | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS04-J | Limit the size of files passed to ZipInputStream | - |