Advisories for Pypi/Dfir-Unfurl package

2026

Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h5qv-qjv4-pc5m. This link is maintained to preserve external references. Original Description Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory and crashing the service.

Unfurl's unbounded zlib decompression allows decompression bomb DoS

The compressed data parser uses zlib.decompress() without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service.

Unfurl's unbounded zlib decompression allows decompression bomb DoS

The compressed data parser uses zlib.decompress() without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service.

Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.run(debug=…), so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default.