CVE-2024-8088

Published Aug 22, 2024 Modified Apr 15, 2026 CWE-835

Description

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Weakness Type (CWE)

CWE-835 CWE-835

References

Other References

https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1 https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6 https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814 https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4 https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64 https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7 https://github.com/python/cpython/commit/9cd03263100ddb1657826cc4a71470786cab3932 https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea

Frequently Asked Questions

What is CVE-2024-8088? +
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
How do I check if I'm vulnerable to CVE-2024-8088? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-27497

OpenDJ is an LDAPv3 compliant directory service. OpenDJ prior to 4.9.3 contains a denial-of-service (DoS) vulnerability that causes the server …
CVE-2025-29776

Azle is a WebAssembly runtime for TypeScript and JavaScript on ICP. Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` …
CVE-2025-32029

ts-asn1-der is a collection of utility classes to encode ASN.1 data following DER rule. Incorrect number DER encoding can lead …
CVE-2026-41146

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it …
CVE-2026-39806

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process …
CVE-2026-31448 9.4

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-8088 — free, no signup required.

Start Free Scan