1. Home
  2. CWE Database
  3. CWE-409
Base · Medium

CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

CWE-409 · Base Level ·2 CVEs

Description

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

Potential Impact

Availability

DoS: Amplification, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Demonstrative Examples

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Attack
<?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data>

Real-World CVE Examples

CVE IDDescription
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb

CWE-405: Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce exces...

Taxonomy Mappings

  • PLOVER: — Data Amplification
  • The CERT Oracle Secure Coding Standard for Java (2011): IDS04-J — Limit the size of files passed to ZipInputStream

Frequently Asked Questions

What is CWE-409?

CWE-409 (Improper Handling of Highly Compressed Data (Data Amplification)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

How can CWE-409 be exploited?

Attackers can exploit CWE-409 (Improper Handling of Highly Compressed Data (Data Amplification)) to dos: amplification, dos: crash, exit, or restart, dos: resource consumption (cpu), dos: resource consumption (memory). This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-409?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-409?

CWE-409 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.