{"id":"PYSEC-2023-121","summary":"zstd vulnerable to buffer overrun","details":"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.","aliases":["CVE-2022-4899","GHSA-5c9c-6x87-f9vm"],"modified":"2026-02-25T19:37:58.018958Z","published":"2023-03-31T20:15:00Z","references":[{"type":"REPORT","url":"https://github.com/facebook/zstd/issues/3200"},{"type":"FIX","url":"https://github.com/facebook/zstd/issues/3200"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230725-0005/"}],"affected":[{"package":{"name":"zstd","ecosystem":"PyPI","purl":"pkg:pypi/zstd"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.4"}]}],"versions":["1.1.4","1.2.0","1.3.0.2","1.3.1","1.3.3","1.3.4","1.3.4.3","1.3.4.4","1.3.4.5","1.3.5.0","1.3.5.1","1.3.8.0","1.3.8.1","1.4.0.0","1.4.1.0","1.4.3.2","1.4.4.0","1.4.5.0","1.4.5.1","1.4.8.0","1.4.8.1","1.4.9.0","1.4.9.1","1.5.0.0","1.5.0.1","1.5.0.2","1.5.0.3","1.5.0.4","1.5.1.0","1.5.2.0","1.5.2.1","1.5.2.2","1.5.2.3","1.5.2.4","1.5.2.5","1.5.2.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/zstd/PYSEC-2023-121.yaml"}}],"schema_version":"1.7.3"}