Release version 1.1.3: Fix multiple vulnerabilities #738

miurahr · 2026-06-19T09:31:45Z

miurahr
Jun 19, 2026
Maintainer

CVE-2026-23879: Arbitrary File Write Vulnerability in py7zr (high severity)
- Harden check of path traversal and enhance test cases to reproduce many attack scenarios.
CVE-2026-55206: O(n^2) algorithmic complexity DoS in PackInfo._read() in py7zr
- Enforced variation of the parameter with a limit and optimized calculation algorithm to prevent excessive CPU consumption.
CVE-2026-55195: py7zr <= 1.1.2: Decompression bomb (zip bomb) denial of service via unchecked extraction size
- Added check of extraction size and introduced max_extract_size as constructor parameter to guard against excessive decompression.

This discussion was created from the release Release version 1.1.3: Fix multiple vulnerabilities.