CVE-2025-30153
Published: 19 March 2025
Summary
CVE-2025-30153 is a high-severity Data Amplification (CWE-409) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating flaws by updating kin-openapi to version 0.131.0 or later directly eliminates the ZIP bomb vulnerability causing memory exhaustion.
Denial-of-service protection controls limit or detect resource exhaustion attacks from crafted ZIP files in multipart/form-data requests.
Validating the content of multipart/form-data inputs prevents processing of malicious ZIP bombs that lead to server memory exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables sending a crafted ZIP bomb via multipart/form-data request to exhaust server memory, directly mapping to application exhaustion flood for denial of service.
NVD Description
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the…
more
server to consume all available system memory. The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says). This vulnerability is fixed in 0.131.0.
Deeper analysisAI
CVE-2025-30153 is a vulnerability in the kin-openapi Go library, used for handling OpenAPI files, affecting versions prior to 0.131.0. During validation of a request against a multipart/form-data schema, if the schema allows it, the library's ZipFileBodyDecoder—automatically registered by the module despite documentation stating otherwise—processes a crafted ZIP file, such as a ZIP bomb. This causes the server to consume all available system memory, leading to denial of service. The issue is classified under CWE-409 (Insufficient Resource Pool) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker with network access to a vulnerable server can exploit this by sending a specially crafted multipart/form-data request containing a ZIP bomb, requiring low complexity and no user interaction. Successful exploitation results in high-impact availability disruption through complete memory exhaustion on the server, without affecting confidentiality or integrity.
The vulnerability is addressed in kin-openapi version 0.131.0, as detailed in the GitHub security advisory at https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 and the fixing commit at https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1. Additional context on the root cause appears in the library's req_resp_decoder.go source code, and documentation at https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse notes handling of custom content types for request/response bodies.
Details
- CWE(s)