Miggo Logo
Miggo Vulnerability Database
CVE-2025-5031

CVE-2025-5031: Ackites KillWxapkg Zip Bomb Resource Exhaustion

3.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-5031
GHSA ID
GHSA-pqqp-7cp8-vxvf
EPSS Score
0.12131%
CWE
CWE-400
Published
5/21/2025
Updated
5/21/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/Ackites/KillWxapkggo<= 1.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The primary source of information is the GitHub issue #86 referenced in the vulnerability details. This issue includes a Proof of Concept (PoC) written in Go. The PoC explicitly calls a function UnpackWxapkg to demonstrate the vulnerability. The description of the vulnerability also points to the 'wxapkg File Decompression Handler' as the affected component. Although I could not retrieve the exact file content for unpack.go (it might have been moved, renamed, or the path is different), the PoC code within the issue provides strong evidence that UnpackWxapkg is the function that processes the malicious input and is therefore vulnerable to resource exhaustion. The PoC's createTestWxapkg1 function crafts a malicious package, and TestUnPack uses UnpackWxapkg to process it, triggering the resource consumption.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in **kit*s KillWx*pk* up to *.*.*. It **s ***n r*t** *s pro*l*m*ti*. T*is issu* *****ts som* unknown pro**ssin* o* t** *ompon*nt wx*pk* *il* ***ompr*ssion **n*l*r. T** m*nipul*tion l***s to r*sour** *onsumption. T** *tt**k m

Reasoning

T** prim*ry sour** o* in*orm*tion is t** *it*u* issu* #** r***r*n*** in t** vuln*r**ility **t*ils. T*is issu* in*lu**s * Proo* o* *on**pt (Po*) writt*n in *o. T** Po* *xpli*itly **lls * *un*tion `Unp**kWx*pk*` to **monstr*t* t** vuln*r**ility. T** **