GHSA-xg43-5579-qw6v: adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
The adawolfa/isdoc library versions prior to 1.4.3, 1.5.1, and 1.6.1 are vulnerable to uncontrolled resource consumption due to decompression bombs in ISDOCX (ZIP) and PDF files. The library inflates compressed entries and reads embedded files without validating uncompressed sizes, allowing crafted files to exhaust memory or disk space, causing denial of service. There is no impact on confidentiality or integrity. Fixed versions enforce size limits on decompressed data and reject oversized entries before processing. No code-level workaround exists; upgrading is required.
AI Analysis
Technical Summary
The adawolfa/isdoc library reads ISDOC invoices from ISDOCX ZIP archives and PDF files with embedded ISDOC documents. Vulnerable versions inflate ZIP entries and read embedded files without validating their uncompressed size, enabling decompression bombs that can consume excessive memory or disk space. Specifically, getFromName() inflates ISDOC documents and supplements without size caps, saveTo() writes inflated data to disk without byte limits, and PDF embedded files with large declared lengths are processed without upper bounds. Exploitation requires processing attacker-supplied .isdocx or .pdf files, leading to denial of service by exhausting system resources. Fixed in versions 1.4.3, 1.5.1, 1.6.1, and 2.0.0 by enforcing size limits on decompressed data and rejecting oversized entries before inflation or reading.
Potential Impact
Exploitation results in denial of service through exhaustion of memory or disk space when processing maliciously crafted ISDOCX or PDF files. There is no confidentiality or integrity impact. The vulnerability can cause application or system unavailability due to uncontrolled resource consumption during decompression and file reading.
Mitigation Recommendations
Fixed versions 1.4.3, 1.5.1, 1.6.1, and 2.0.0 enforce size limits on decompressed ZIP entries and embedded PDF files, rejecting oversized entries before processing. Users should upgrade to one of these versions. No code-level workaround exists in affected versions. As a mitigation, restrict parsing to trusted inputs or externally enforce size and decompression limits before passing files to the library.
GHSA-xg43-5579-qw6v: adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
Description
The adawolfa/isdoc library versions prior to 1.4.3, 1.5.1, and 1.6.1 are vulnerable to uncontrolled resource consumption due to decompression bombs in ISDOCX (ZIP) and PDF files. The library inflates compressed entries and reads embedded files without validating uncompressed sizes, allowing crafted files to exhaust memory or disk space, causing denial of service. There is no impact on confidentiality or integrity. Fixed versions enforce size limits on decompressed data and reject oversized entries before processing. No code-level workaround exists; upgrading is required.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The adawolfa/isdoc library reads ISDOC invoices from ISDOCX ZIP archives and PDF files with embedded ISDOC documents. Vulnerable versions inflate ZIP entries and read embedded files without validating their uncompressed size, enabling decompression bombs that can consume excessive memory or disk space. Specifically, getFromName() inflates ISDOC documents and supplements without size caps, saveTo() writes inflated data to disk without byte limits, and PDF embedded files with large declared lengths are processed without upper bounds. Exploitation requires processing attacker-supplied .isdocx or .pdf files, leading to denial of service by exhausting system resources. Fixed in versions 1.4.3, 1.5.1, 1.6.1, and 2.0.0 by enforcing size limits on decompressed data and rejecting oversized entries before inflation or reading.
Potential Impact
Exploitation results in denial of service through exhaustion of memory or disk space when processing maliciously crafted ISDOCX or PDF files. There is no confidentiality or integrity impact. The vulnerability can cause application or system unavailability due to uncontrolled resource consumption during decompression and file reading.
Mitigation Recommendations
Fixed versions 1.4.3, 1.5.1, 1.6.1, and 2.0.0 enforce size limits on decompressed ZIP entries and embedded PDF files, rejecting oversized entries before processing. Users should upgrade to one of these versions. No code-level workaround exists in affected versions. As a mitigation, restrict parsing to trusted inputs or externally enforce size and decompression limits before passing files to the library.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xg43-5579-qw6v
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a58b40268715ace43d66f2b
Added to database: 07/16/2026, 10:35:46 UTC
Last enriched: 07/16/2026, 10:47:00 UTC
Last updated: 07/16/2026, 10:47:00 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.