Advisories for Pypi/Dfir-Unfurl package

2026

Unfurl's unbounded zlib decompression allows decompression bomb DoS

The compressed data parser uses zlib.decompress() without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service.

Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.run(debug=…), so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default.