Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely into memory using zip.entryData(), with no limit on the decompressed size. The upload middleware also has no file size limit. An admin user can upload a crafted ZIP containing a highly compressed details entry that, when decompressed, consumes hundreds of megabytes or gigabytes of memory, crashing the server process via out-of-memory. This vulnerability is fixed in 2.32.2.
AnalysisAI
Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.
Technical ContextAI
Audiobookshelf's POST /api/backups/upload endpoint uses zip.entryData() to decompress entries from uploaded .audiobookshelf ZIP files without validating or limiting decompressed size. This is a classic zip bomb vulnerability (CWE-409: Improper Resource Validation). The upload middleware itself also lacks file size restrictions on the incoming request. An attacker with admin credentials can craft a ZIP using extreme compression ratios (e.g., gigabytes of zeros compressed to kilobytes), which expand to enormous memory allocations during decompression, overwhelming Node.js heap memory and crashing the process.
RemediationAI
Upgrade Audiobookshelf to version 2.32.2 or later immediately; this is the vendor-released fix addressing the decompression bomb vulnerability. If immediate upgrade is not feasible, restrict admin role assignment to only trusted users and implement network-level access controls to limit who can reach the /api/backups/upload endpoint (e.g., firewall rules, reverse proxy authentication). Monitor server memory and CPU usage for anomalous spikes during backup operations. These workarounds do not eliminate the vulnerability but reduce exposure window and attack surface. Refer to the GitHub security advisory at https://github.com/advplyr/audiobookshelf/security/advisories/GHSA-4jq4-rvq8-j26h for patch confirmation.
More in Audiobookshelf
View allAudiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 8.2), this vulnerability is remo
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.9), this vulnerability is re
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 6.5), this vulnerability is re
Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library meta
Audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.8), this vulnerability is re
audiobookshelf is a self-hosted audiobook and podcast server. Rated medium severity (CVSS 4.3), this vulnerability is re
Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo
Audiobookshelf is a self-hosted audiobook and podcast server. Rated high severity (CVSS 7.5), this vulnerability is remo
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/c
Authenticated users with download permissions in Audiobookshelf prior to 2.32.2 can download files from libraries they d
Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malici
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29209