CVE-2023-45853
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
References
Published
Community ground truth
Community verdict
4 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
to add your verdict.
Practitioners rate this lower than its CVSS — likely over-rated by the score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Scanners flag this critical on anything that links zlib — but the bug is in MiniZip, a contrib utility that is not part of the zlib library distros actually ship. zlib's maintainer noted MiniZip isn't a supported component, and Debian marked the core library unaffected. It's reachable only if your software bundles MiniZip and feeds it attacker-controlled archive entries. For the typical
libzdependency it's noise.Sources: NVD · Debian security tracker.
- 0
If you genuinely bundle and use MiniZip's
zipOpenNewFileInZip4_64, update to a patched MiniZip / zlib 1.3.1+. Otherwise document why the core-zlib finding doesn't apply to your build and move on.
Related CVEs
Same weakness — CWE-190 · Integer Overflow.
- CVE-2021-30860CVSS 7.8KEVEPSS 76%
An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- CVE-2015-8651CVSS 8.8KEVEPSS 68%
Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.
- CVE-2018-6065CVSS 8.8KEVEPSS 59%
Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2021-30952CVSS 7.8KEVEPSS 8%
An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3. Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE-2025-48595CVSS 8.4KEVEPSS 0%
In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.