Description
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
Published: 2026-04-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Apply Patch
AI Analysis

Impact

Unfurl versions before 2026.04 contain an unbounded zlib decompression flaw in the parse_compressed.py module. When a client submits an excessively compressed payload through the /json/visjs URL parameter, the server decompresses it without bounds, causing the application to consume gigabytes of memory and eventually crash. The result is a complete service outage for users of the Unfurl web interface. The issue maps to the CWE-409 (Uncontrolled Resource Consumption) and CWE-770 (Uncontrolled Memory Allocation) weaknesses.

Affected Systems

The affected product is Unfurl developed by obsidianforensics. All releases older than version 2026.04 are impacted; upgrading to v2026.04 or later releases the vulnerability.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not provided, but the lack of authentication requirements and the straightforward request structure make exploitation technically feasible. Because it is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation. The likely attack vector is remote HTTP requests to the /json/visjs endpoint, as inferred from the description.

Generated by OpenCVE AI on April 8, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to Unfurl v2026.04 or later
  • If an upgrade is not immediately possible, block or remove access to the /json/visjs endpoint to prevent unbounded decompression attempts
  • Configure the service to impose strict limits on request payload sizes and memory usage
  • Implement monitoring for sudden memory spikes or crashes to detect abuse early
  • Verify that any URLs processed by parse_compressed.py come from trusted sources

Generated by OpenCVE AI on April 8, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h5qv-qjv4-pc5m Unfurl's unbounded zlib decompression allows decompression bomb DoS
History

Fri, 17 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Ryandfir
Ryandfir unfurl
CPEs cpe:2.3:a:ryandfir:unfurl:*:*:*:*:*:*:*:*
Vendors & Products Ryandfir
Ryandfir unfurl

Sat, 11 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Dfir-unfurl
Dfir-unfurl dfir-unfurl
Vendors & Products Dfir-unfurl
Dfir-unfurl dfir-unfurl

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description dfir-unfurl through 20250810 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service. Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
Title dfir-unfurl - Denial of Service via Unbounded zlib Decompression Unfurl < 2026.04 - Denial of Service via Unbounded zlib Decompression
Weaknesses CWE-400 CWE-409
CWE-770
References

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description dfir-unfurl through 20250810 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.
Title dfir-unfurl - Denial of Service via Unbounded zlib Decompression
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dfir-unfurl Dfir-unfurl
Ryandfir Unfurl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T16:05:32.651Z

Reserved: 2026-04-08T13:39:22.099Z

Link: CVE-2026-40036

cve-icon Vulnrichment

Updated: 2026-04-11T03:05:46.079Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:24.190

Modified: 2026-04-17T15:56:41.023

Link: CVE-2026-40036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:48Z

Weaknesses