EUVD-2025-21056
GHSA-r7fm-3pqm-ww5w
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4.
Analysis
Chall-Manager versions prior to v0.1.4 contain an unchecked decompression vulnerability (CWE-405) that allows unauthenticated attackers to trigger zip bomb attacks by uploading malicious scenario archives. This denial-of-service vulnerability has a CVSS 9.8 severity score due to complete system compromise potential (confidentiality, integrity, availability impact) combined with network-accessible attack surface. The vulnerability is mitigated in practice by deployment recommendations suggesting Chall-Manager be isolated within infrastructure, but network-adjacent attackers with access to the system can completely compromise it without authentication or user interaction.
Technical Context
Chall-Manager is a challenge deployment platform that processes scenario files packaged as ZIP archives. The vulnerability exists in the scenario decoding function, which decompresses ZIP files without validating the decompressed output size against maximum resource thresholds. This is a classic zip bomb vulnerability (CWE-405: Uncontrolled Resource Consumption / 'Zip Bomb'), where specially-crafted ZIP archives with high compression ratios can expand to extremely large sizes during decompression, exhausting disk space and memory. The root cause is inadequate input validation on archive metadata—the application fails to check the declared uncompressed size before extraction or impose cumulative size limits during decompression. The affected product is Chall-Manager across all versions before v0.1.4, though CPE strings are not provided in the source material. The vulnerability affects the core scenario loading mechanism, suggesting it impacts all deployment scenarios of this platform.
Affected Products
- product: Chall-Manager; affected_versions: < 0.1.4; safe_versions: >= 0.1.4; component: Scenario decoder / ZIP archive processing; deployment_context: All installations prior to patch commit 14042aa; note: Vendor advisory suggests this is a platform-agnostic system; no specific vendor link provided in source material
Remediation
Upgrade Chall-Manager to version 0.1.4 or later; details: Patch implemented in commit 14042aa; this version includes decompression size validation; priority: Immediate for exposed systems; within 30 days for isolated systems Configuration Mitigation: Implement network isolation per vendor recommendation; details: Restrict Chall-Manager access to internal trusted networks only; do not expose to internet or untrusted user networks; priority: Mandatory regardless of patch status Operational Control: Implement resource limits and monitoring; details: Deploy disk space quotas on systems running Chall-Manager; monitor decompression processes for anomalous resource consumption; set maximum file size limits on upload endpoints; priority: High (provides defense-in-depth) Input Validation Workaround: If patching is delayed, implement pre-decompression validation; details: Validate ZIP archive metadata (declared uncompressed size) before processing; reject archives with compression ratios above threshold (e.g., >100:1); enforce maximum uncompressed size (e.g., 500MB); priority: Temporary measure only
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today