CVE-2024-3508 identifies a vulnerability in Bombastic, a tool that processes Software Bill of Materials (SBOM) files uploaded by authenticated users. The flaw arises from the handling of compressed SBOM files in bzip2 or zstd formats. When a user uploads such a file, the Bombastic API decompresses it to verify the presence of specific JSON fields and values. However, the decompression process lacks adequate controls to limit resource consumption, such as CPU, memory, or disk I/O. This deficiency can be exploited by an attacker to upload specially crafted compressed files that decompress into very large or complex data structures, causing excessive resource usage. The result is a denial-of-service (DoS) condition where the Bombastic service becomes unresponsive or crashes due to resource exhaustion. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) because it involves insufficient validation of uploaded content leading to resource abuse. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based, requires low complexity, and authenticated privileges, with no user interaction needed. The impact is limited to availability, with no direct confidentiality or integrity compromise. No patches or known exploits are currently reported, indicating the vulnerability is newly disclosed and may require proactive mitigation.

For European organizations, especially those involved in software development, supply chain management, or security compliance, this vulnerability could disrupt operations by causing denial-of-service conditions in Bombastic deployments. Since Bombastic is used to manage SBOMs, which are critical for software transparency and vulnerability tracking, service unavailability could delay vulnerability assessments and compliance reporting. This may indirectly increase exposure to other threats. The requirement for authentication limits exploitation to insiders or compromised accounts, but this does not eliminate risk in environments with multiple users or automated systems. The impact on confidentiality and integrity is negligible, but availability degradation can affect business continuity and incident response capabilities. Organizations relying on Bombastic for regulatory compliance or supply chain security may face operational and reputational risks if the service is disrupted.

To mitigate CVE-2024-3508, organizations should implement strict resource usage limits during decompression of uploaded SBOM files. This includes setting maximum file size thresholds before decompression, limiting CPU and memory usage per decompression process, and enforcing timeouts to prevent long-running decompression tasks. Input validation should be enhanced to reject suspicious or unusually large compressed files. Access controls should be reviewed to restrict upload permissions to trusted users only. Monitoring and alerting on abnormal resource consumption patterns in Bombastic can provide early detection of exploitation attempts. If possible, update or patch Bombastic once vendor fixes are available. In the interim, consider isolating the decompression process in sandboxed environments or containers to contain potential resource exhaustion. Regularly audit user accounts and authentication mechanisms to reduce the risk of unauthorized uploads.