CVE-2025-30153

CVE-2025-30153 is a vulnerability in the kin-openapi Go library, used for handling OpenAPI files, affecting versions prior to 0.131.0. During validation of a request against a multipart/form-data schema, if the schema allows it, the library's ZipFileBodyDecoder—automatically registered by the module despite documentation stating otherwise—processes a crafted ZIP file, such as a ZIP bomb. This causes the server to consume all available system memory, leading to denial of service. The issue is classified under CWE-409 (Insufficient Resource Pool) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker with network access to a vulnerable server can exploit this by sending a specially crafted multipart/form-data request containing a ZIP bomb, requiring low complexity and no user interaction. Successful exploitation results in high-impact availability disruption through complete memory exhaustion on the server, without affecting confidentiality or integrity.

The vulnerability is addressed in kin-openapi version 0.131.0, as detailed in the GitHub security advisory at https://github.com/getkin/kin-openapi/security/advisories/GHSA-wq9g-9vfc-cfq9 and the fixing commit at https://github.com/getkin/kin-openapi/commit/67f0b233ffc01332f7d993f79490fbea5f4455f1. Additional context on the root cause appears in the library's req_resp_decoder.go source code, and documentation at https://github.com/getkin/kin-openapi?tab=readme-ov-file#custom-content-type-for-body-of-http-requestresponse notes handling of custom content types for request/response bodies.