Missing configuration against decompression bomb


Decompression bombs pose a risk by exploiting applications that process compressed files. These attacks involve a compressed file that is small in size but expands to a significantly larger size when decompressed. This can overwhelm system resources such as CPU, memory, or disk space, causing a Denial of Service (DoS).


  • Do limit the decompression size. Use io.LimitReader, for example, to restrict the amount of data that a reader will decompress. This prevents the decompression of large files that could fill up memory or disk space.
    const maxDecompressSize = 10 * 1024 * 1024 // 10 MB
    limitedReader := io.LimitReader(r, maxDecompressSize)
  • Do monitor resource usage to detect unexpected increases in CPU, memory, or disk usage, which may indicate an attack.
  • Do validate the size and type of input files before decompression. Reject files that do not meet predefined criteria to avoid processing potentially harmful data.
  • Do ensure your application fails safely. It should handle decompression errors without crashing or becoming unresponsive.
  • Do regularly update your compression libraries to incorporate the latest security patches and protect against known vulnerabilities.
  • Do educate users about the risks associated with decompression bombs, especially if they have the ability to upload compressed files.

Associated CWE


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_decompression_bomb

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_decompression_bomb