Project

General

Profile

Actions
Copy link

Security #7766

closed

libhtp-c: memory leak with lzma

Added by Philippe Antoine about 1 month ago. Updated 9 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
7.0.11
Affected Versions:
Label:
CVE:
2025-53537
Git IDs:

9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7

Severity:
HIGH
Disclosure Date:
09/15/2025

Description

Found by oss-fuzz
https://issues.oss-fuzz.com/u/1/issues/425041683?pli=1

Only in 7

I would go for critical (leaking 256 kilobytes at a time)

Actions
Copy link
 #1

Updated by Philippe Antoine about 1 month ago

  • Status changed from New to In Review

Gitlab MR

Actions
Copy link
 #2

Updated by Victor Julien about 1 month ago

Would the client have to request using lzma or can the server just decide to use it?

Actions
Copy link
 #3

Updated by Philippe Antoine about 1 month ago

Victor Julien wrote in #note-2:

Would the client have to request using lzma or can the server just decide to use it?

Oh I checked and apparently, the client can also use lzma and thus trigger the bug... (even if I did not think so)

Actions
Copy link
 #4

Updated by Jason Ish about 1 month ago

  • Severity changed from MODERATE to HIGH
Actions
Copy link
 #5

Updated by Shivani Bhardwaj 25 days ago

  • Status changed from In Review to Resolved
Actions
Copy link
 #7

Updated by Philippe Antoine 23 days ago

  • Status changed from Resolved to Closed

Commit 9037ea35110a0d97be5cedf8d31fb4cd9a38c7a7 in libhtp

Actions
Copy link
 #8

Updated by Jason Ish 9 days ago

  • Private changed from Yes to No
  • Git IDs updated (diff)
Actions
Copy link

Also available in: Atom PDF