IO::Uncompress::Unzip versions prior to 2.220 contain a per-byte read loop in the fastForward method that can exhaust CPU resources when extracting entries from user-supplied ZIP archives. The flaw arises because the loop compares the digit count of the offset against the chunk size, causing the chunk size to shrink from 16 KiB to 1–19 bytes per iteration. This aggressive shrinking forces the module to perform many iterations proportional to the compressed size of an entry, potentially up to the non‑Zip64 4 GiB limit, leading to a denial‑of‑service condition. The weakness can be described as a resource exhaustion flaw (CWE‑407).

Vendors affected include PMQS with the IO::Uncompress::Unzip module. All releases before version 2.220 are vulnerable; the fix was introduced in release 2.220.

The vulnerability has no CVSS score listed in the provided data, and the EPSS score is not available, so a precise quantification of exploitation likelihood is not possible from the data. It is not listed in the CISA KEV catalog. Attackers can trigger the CPU exhaustion by supplying a crafted ZIP file containing a targeted entry and invoking IO::Uncompress::Unzip->new($zip, Name => $target). The probable attack surface is any environment that unpacks or inspects user‑supplied ZIP archives, such as web applications or services that accept file uploads. The failure mode requires that the vulnerable module process the file, which can be exploited remotely if the upload mechanism is exposed.