CVE-2024-5569 is a Denial of Service vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) found in the jaraco/zipp Python library, affecting all versions prior to 3.19.1. The vulnerability is triggered when the library processes a specially crafted zip file that causes an infinite loop in path-related functions such as joinpath, the overloaded division operator (/), and iterdir. These functions manipulate Path objects within the library and the infinite loop prevents the application from progressing, effectively causing it to hang. The vulnerability also affects the zipfile module in CPython because features from jaraco/zipp have been merged into it, and the vulnerable code is identical. The infinite loop is not resource exhaustive, meaning it does not consume excessive CPU or memory but still causes the application to become unresponsive. Exploitation does not require authentication or user interaction, and the attack vector is local (AV:L), meaning the attacker must have local access to the system or the ability to supply crafted zip files to the application. The CVSS v3.0 base score is 6.2, indicating a medium severity level. The issue was addressed in jaraco/zipp version 3.19.1 by fixing the loop condition to ensure proper exit. No known exploits have been reported in the wild, but the vulnerability poses a risk to applications that rely on these libraries for zip file handling, especially those that process untrusted zip files.

For European organizations, this vulnerability can lead to denial of service conditions in applications that use jaraco/zipp or the Python zipfile module for handling zip files. This may affect web services, automation scripts, or backend systems that process uploaded zip archives, potentially causing application hangs and service unavailability. Although the infinite loop is not resource exhaustive, the unresponsiveness can disrupt business operations, degrade user experience, and increase operational costs due to downtime or manual intervention. Organizations in sectors with high reliance on Python-based automation, cloud services, or data processing pipelines are particularly at risk. Additionally, industries such as finance, healthcare, and government, which often handle large volumes of compressed data, may face operational disruptions. The lack of known exploits reduces immediate risk, but the ease of triggering the infinite loop with crafted zip files means attackers with local access or the ability to upload files could exploit this vulnerability to cause service interruptions.

European organizations should immediately upgrade jaraco/zipp to version 3.19.1 or later to remediate this vulnerability. For applications using the Python standard library zipfile module, ensure that the Python runtime is updated to a version that includes the patched code from jaraco/zipp. Implement strict input validation and sanitization for all zip files processed by applications, especially those uploaded by untrusted users. Employ sandboxing or resource-limiting techniques to isolate processes handling zip files, preventing a single hung process from impacting overall system availability. Monitor application logs and performance metrics for signs of unresponsiveness or infinite loops during zip file processing. Where feasible, restrict the ability to upload or process zip files to trusted users or systems. Additionally, consider implementing timeout mechanisms for file processing operations to recover from potential hangs. Finally, maintain an inventory of all Python dependencies and regularly scan for vulnerable versions to ensure timely patching.