Excessive CPU consumption when building archive index in archive/zip

GO-2026-4342 · BIT-golang-2025-61728 · CVE-2025-61728

Published Jan 28, 2026 · Modified Jun 12, 2026

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

References

FIX https://go.dev/cl/736713
REPORT https://go.dev/issue/77102
WEB https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes