AIKIDO-2026-10928
weezl is vulnerable to Denial of Service (DoS)
65
Medium Risk
This Affects:
weezlTL;DR
The weezl LZW decoder can panic when processing malformed or corrupted streams, including cases where min_code_size is 12 and bit-flipped input drives out-of-bounds indexing in decode tables. Before the fix, that panic aborts the process and enables denial of service on untrusted GIF or TIFF LZW payloads. When yield_on_full_buffer is enabled, a small output buffer could also yield a false NoProgress status while data remained in internal buffers, so callers stopped early and silently dropped decoded bytes. Version 0.2.0 replaces panic-prone indexing with bounded table access, improves malformed-stream handling, and corrects progress reporting so buffered decode data is not lost.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
weezl is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 0.1.12.
How to fix this
Upgrade the weezl library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant