CVE-2022-4565: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Dromara HuTool versions up to 5.8.10, identified as CVE-2022-4565. The vulnerability affects the file cn.hutool.core.util.ZipUtil.java and is related to improper resource consumption during ZIP file decompression. The issue was disclosed on December 12, 2022, and affects all versions from 4.4.2 to 5.8.10 (GitHub Issue).

The vulnerability is classified as a ZIP bomb vulnerability in the ZipUtil.java file. The issue stems from the lack of proper size validation during ZIP file decompression, where the code passes a -1L parameter to the unzip method, effectively bypassing size limit checks. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows attackers to consume server storage resources through ZIP bomb attacks. For example, a 42KB compressed file can expand to 5.5GB, a 10MB file to 281TB, and a 46MB file to 4.5PB when decompressed. This can lead to denial of service conditions by exhausting the server's storage resources (GitHub Issue).

The recommended mitigation is to upgrade to HuTool version 5.8.11 or later, which addresses this vulnerability. For those unable to upgrade immediately, it's recommended to implement size validation checks and set default values for decompressed file sizes or compression ratios, with rollback operations if these limits are exceeded (GitHub Issue).