CVE-2025-63914 affects Cinnamon kotaemon version 0.11.0 due to inadequate validation in the _may_extract_zip function located in \libs\ktem\ktem\index\file\ui.py. The function extracts uploaded ZIP files into a temporary directory without inspecting their contents for malicious payloads such as ZIP bombs—compressed archives designed to expand exponentially upon decompression, consuming excessive CPU, memory, and disk space. Although the temporary extraction folder is cleared before each new extraction, if no subsequent uploads occur, the extracted files remain on disk, potentially filling storage and causing system unavailability. The vulnerability requires an attacker to have file upload permissions but does not require user interaction beyond that. The CVSS 3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. This vulnerability is categorized under CWE-409 (Improper Resource Shutdown or Release), highlighting the failure to properly manage resources post-extraction. No patches or known exploits are currently available, but the risk of denial of service through resource exhaustion is significant.

For European organizations using Cinnamon kotaemon 0.11.0, this vulnerability poses a risk of denial of service through resource exhaustion. Attackers with file upload permissions can deploy ZIP bombs that cause excessive CPU and memory usage during decompression, potentially degrading server performance or causing crashes. Additionally, leftover extracted files can consume disk space, leading to storage exhaustion and system unavailability. This can disrupt critical services, especially for organizations relying on this software for file handling or content management. The impact is primarily on availability, with no direct compromise of confidentiality or integrity. Organizations with high-volume file upload workflows or limited resource monitoring are particularly vulnerable. The absence of known exploits reduces immediate risk, but the ease of exploitation and potential operational disruption warrant proactive mitigation.

To mitigate CVE-2025-63914, organizations should implement strict validation and scanning of uploaded ZIP files before extraction. This includes limiting the maximum allowed compressed and uncompressed file sizes, restricting the number of nested archives, and detecting known ZIP bomb patterns. Employ resource usage monitoring and set thresholds to terminate decompression processes that exceed expected CPU or memory usage. Regularly clear temporary extraction directories, especially after periods of inactivity, to prevent disk space exhaustion. Restrict file upload permissions to trusted users and implement application-level rate limiting to reduce attack surface. If possible, update or patch Cinnamon kotaemon once a fix is released. In the interim, consider isolating the file extraction process in sandboxed environments or containers to limit impact. Logging and alerting on unusual file upload activity can help detect exploitation attempts early.