{"id":"CVE-2023-43642","summary":"Missing upper bound check on chunk length in snappy-java ","details":"snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.","aliases":["GHSA-55g7-9cwv-5qfv"],"modified":"2026-04-12T02:37:09.909294Z","published":"2023-09-25T19:03:49.145Z","related":["CGA-g8p3-jq96-p2rq"],"database_specific":{"cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43642.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43642.json"},{"type":"ADVISORY","url":"https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43642"},{"type":"FIX","url":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xerial/snappy-java","events":[{"introduced":"0"},{"fixed":"9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}]}],"versions":["1.0.5-M4","1.1.0","1.1.0-M1","1.1.0-M3","1.1.2.5","1.1.3-M1","1.1.3-M2","1.1.4","1.1.4-M1","1.1.4-M2","1.1.4-M3","1.1.7","1.1.7.1","1.1.7.2","1.1.7.3","1.1.7.4","1.1.7.5","1.1.7.6","1.1.7.7","1.1.7.8","1.1.8","1.1.8.1","1.1.8.2","1.1.8.3","1.1.8.4","snappy-java-1.0.1-rc1","snappy-java-1.0.1-rc2","snappy-java-1.0.1-rc3","snappy-java-1.0.1-rc4","snappy-java-1.0.3","snappy-java-1.0.3-rc1","snappy-java-1.0.3-rc2","snappy-java-1.0.3-rc3","snappy-java-1.0.3-rc4","snappy-java-1.0.3.1","snappy-java-1.0.3.2","snappy-java-1.0.3.3","snappy-java-1.0.4","snappy-java-1.0.4.1","v1.1.10.0","v1.1.10.1","v1.1.10.2","v1.1.10.3","v1.1.9.0","v1.1.9.1"],"database_specific":{"vanir_signatures":[{"id":"CVE-2023-43642-266580c9","digest":{"function_hash":"327796876413512512924952911748094928096","length":462},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"function":"SnappyOutputStream","file":"src/main/java/org/xerial/snappy/SnappyOutputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-64ba1e66","digest":{"function_hash":"321842033826955958372583844996140256361","length":1677},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"function":"hasNextChunk","file":"src/main/java/org/xerial/snappy/SnappyInputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-734dde64","digest":{"line_hashes":["95799747095657849291300377021449269377","204599010055405155087118862080772427554","81051671657690600663023303724912658222"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"src/main/java/org/xerial/snappy/SnappyHadoopCompatibleOutputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-a9c8d64d","digest":{"function_hash":"176902404548095947214756451937683015610","length":82},"signature_type":"Function","deprecated":false,"signature_version":"v1","target":{"function":"SnappyInputStream","file":"src/main/java/org/xerial/snappy/SnappyInputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-bb880fef","digest":{"line_hashes":["238190652179993881561635884255134129969","219833580112021283963547606017940986741","318836194009982663904999743115798865001","128293740257302312340315179645144948663","165766621775166163120707397370253403115","84069243466899400658928126877170631413","275264827881941225052360434357053812822","103955961784021514455671590928661879886","105365667953846555519966059560116753909","135411848989569965428425263911017889587","99813241864967661228686136832600703790","79461475723120289588267807021840777073","49864716641576601851296287151744075113"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"src/main/java/org/xerial/snappy/SnappyInputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-c68d2107","digest":{"line_hashes":["211334378892407433173951417113500476889","208189108725793172002504371939228446826","179005894920051457127014544957047711378","150273482896157972754713064170707459796","75824731002920448612958682928465859282","42104381137338898779999207195392229213","212299034100859467123658772873005320841","100200673922823763583101043820133371553","160638809836190996013145254022653320181","217925010653338271935092357464446867335","259020029972958062453997113104492852453"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"src/main/java/org/xerial/snappy/SnappyOutputStream.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"},{"id":"CVE-2023-43642-fc026610","digest":{"line_hashes":["230466872839784745832743898606365511345","108554905992889721315839997229121364180","56786844490478668954350692438876871676","102714881459326927712149125709846225621","178044472692900932490654390056329749804","72955491443609259571945059203460619183","312261918170295017878168616427788026645"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1","target":{"file":"src/test/java/org/xerial/snappy/SnappyOutputStreamTest.java"},"source":"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43642.json","vanir_signatures_modified":"2026-04-12T02:37:09Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}