CVE-2026-55195: py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

June 19, 2026

py7zr’s Worker.decompress() extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes.

Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio).

Proof of concept:

import py7zr, tempfile, os

References

github.com/advisories/GHSA-gjrg-mpp7-g774
github.com/miurahr/py7zr/releases/tag/v1.1.3
github.com/miurahr/py7zr/security/advisories/GHSA-gjrg-mpp7-g774
nvd.nist.gov/vuln/detail/CVE-2026-55195

Code Behaviors & Features

Detect and mitigate CVE-2026-55195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →