Decompression Bomb (ZIP)
What is a Decompression Bomb?
A decompression bomb (also called a zip bomb) is a malicious archive file designed to crash or render useless the program or system reading it. The archive appears tiny on disk but expands to an enormous size when decompressed, exhausting memory, disk space, or CPU time.
How It Works
This plugin creates a single-layer ZIP bomb. The archive contains one or more entries filled with highly compressible data (null bytes). Because Deflate compression is extremely effective on repetitive data, the compressed archive is tiny while the uncompressed content is orders of magnitude larger.
Compression ratios:
- 1 MB of zeroes compresses to ~1 KB
- 1 GB of zeroes compresses to ~1 MB
- 10 GB of zeroes compresses to ~10 MB
Attack Scenarios
Denial of Service (DoS)
Upload the bomb to a service that extracts or processes ZIP files. The decompression fills the disk or exhausts memory, causing a service outage.
Antivirus Evasion
Some AV engines scan inside archives. A decompression bomb can cause the scanner to hang or crash, allowing other malicious content to pass through.
Resource Exhaustion
CI/CD pipelines, file processing services, and document converters that extract archives without size limits are all vulnerable.
Single-Layer vs. Recursive Bombs
This plugin generates a single-layer bomb — one level of compression with highly compressible content. Recursive (nested) bombs contain ZIP files within ZIP files and can achieve much higher expansion ratios but are also more commonly detected by modern tools.
Defenses That Block This
- Decompression size limits — refuse to extract if uncompressed size exceeds a threshold
- Ratio-based detection — flag archives with extreme compression ratios
- Streaming extraction with early abort when limits are exceeded
- Resource limits (ulimit, cgroups) on extraction processes
- Timeout-based processing to catch long-running decompressions
Related CVEs
- CVE-2019-9674 — Python zipfile module DoS via decompression bomb
- CVE-2018-10115 — 7-Zip RAR handling crash