CVE-2025-30153
📋 TL;DR
This vulnerability in kin-openapi allows attackers to upload specially crafted ZIP files (like ZIP bombs) through multipart/form-data requests, causing servers to exhaust all available memory. It affects Go applications using kin-openapi versions before 0.131.0 for OpenAPI validation. The vulnerability occurs because the ZipFileBodyDecoder is automatically registered despite documentation suggesting otherwise.
💻 Affected Systems
- kin-openapi
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through memory exhaustion, potentially crashing the server and affecting all hosted services.
Likely Case
Service disruption through resource exhaustion, leading to downtime and degraded performance for legitimate users.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
Exploitation requires ability to upload files to vulnerable endpoints, but no authentication bypass is needed beyond what the API normally allows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.131.0
Vendor Advisory: https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9
Restart Required: No
Instructions:
1. Update kin-openapi dependency to version 0.131.0 or later. 2. Run 'go get github.com/getkin/kin-openapi@v0.131.0'. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Disable automatic ZIP file decoding
allManually configure request validation to avoid using the vulnerable ZipFileBodyDecoder
Configure custom body decoders in your OpenAPI validation setup to exclude ZIP file handling
Implement file upload restrictions
allAdd server-side limits on file size and content types before validation
Set max file size limits in your HTTP server configuration
Validate file types before passing to kin-openapi
🧯 If You Can't Patch
- Implement strict file size limits at the web server or load balancer level
- Deploy WAF rules to block or inspect ZIP file uploads to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check your go.mod or go.sum for kin-openapi versions below 0.131.0Check Version:
grep 'kin-openapi' go.mod || grep 'kin-openapi' go.sumVerify Fix Applied:
Confirm kin-openapi version is 0.131.0 or higher in your dependencies📡 Detection & Monitoring
Log Indicators:
- Unusually large memory consumption spikes
- Failed file upload attempts with ZIP files
- Process crashes or restarts during file uploads
Network Indicators:
- Large ZIP file uploads to API endpoints
- Multiple rapid file upload requests
SIEM Query:
source="application_logs" AND (message="memory allocation failed" OR message="out of memory") AND process="your_go_app"🔗 References
- https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1275
- https://github.com/getkin/kin-openapi/blob/6da871e0e170b7637eb568c265c08bc2b5d6e7a3/openapi3filter/req_resp_decoder.go#L1523
- https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1
- https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9
- https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse
