CVE-2025-53633 – github.com/ctfer-io/chall-manager

Package

Manager: go
Name: github.com/ctfer-io/chall-manager
Vulnerable Version: >=0 <0.1.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31922

Details

Chall-Manager's scenario decoding process does not check for zip bombs ### Impact When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. ### Patches Patch has been implemented by [commit `14042aa`](https://github.com/ctfer-io/chall-manager/commit/14042aa66a577caee777e10fe09adcf2587d20dd) and shipped in [`v0.1.4`](https://github.com/ctfer-io/chall-manager/releases/tag/v0.1.4). ### Workarounds No workaround exist. ### References N/A.

Metadata

Created: 2025-07-10T17:50:25Z
Modified: 2025-07-10T23:21:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-r7fm-3pqm-ww5w/GHSA-r7fm-3pqm-ww5w.json
CWE IDs: ["CWE-405", "CWE-409"]
Alternative ID: GHSA-r7fm-3pqm-ww5w
Finding: F159
Auto approve: 1