decompression-bomblisted

Detect decompression bomb vulnerabilities where compressed input can expand to exhaust memory, targeting buffer-based decompression without size limits.
Liaabnormal676/find-cve-agent · ★ 0 · AI & Automation · score 75

Install: claude install-skill Liaabnormal676/find-cve-agent

# Decompression Bomb Detection ## When to Use Audit archive/compression libraries, file upload handlers, content-encoding processors, and any package that decompresses user-supplied data. ## Key Insight **Buffer-based decompression is vulnerable**: the entire decompressed output is loaded into memory at once. A 1KB compressed payload can expand to 1GB+. **Stream-based MAY have backpressure**: but only if the consumer applies it. Many stream implementations still buffer the entire output. ## Process ### Step 1: Find Decompression Sinks ``` # JavaScript grep -rn "zlib\.gunzip\|zlib\.inflate\|zlib\.unzip\|zlib\.brotli" . grep -rn "gunzipSync\|inflateSync\|unzipSync\|brotliDecompress" . grep -rn "pako\|fflate\|lz-string\|snappy" . grep -rn "decompress\|decompressSync\|uncompress" . # Python grep -rn "zlib\.decompress\|gzip\.decompress\|bz2\.decompress" . grep -rn "lzma\.decompress\|snappy\.decompress" . # Go grep -rn "gzip\.NewReader\|zlib\.NewReader\|flate\.NewReader" . grep -rn "compress/gzip\|compress/zlib\|compress/flate" . ``` ### Step 2: Check for Size Limits ``` grep -rn "maxSize\|maxOutput\|maxLength\|MAX_SIZE\|outputLimit\|sizeLimit" . grep -rn "ratio\|compressionRatio\|maxRatio" . ``` ### Step 3: Check Buffer vs Stream Buffer-based (VULNERABLE): ```js zlib.gunzipSync(input) // Entire output in memory zlib.gunzip(input, (err, result) => {}) // Callback with full buffer ``` Stream-based (CHECK): ```js input.pipe(zlib.createGunzip()).pip