CVE-2024-53992

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-53992

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53992.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-53992

Aliases

GHSA-34cg-7f8c-fm5h

Published

2024-12-02T17:03:22Z

Modified

2025-10-20T20:08:16.280390Z

Severity

8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

unzip-bot Allows Remote Code Execution (RCE) via archive extraction, password prompt, or video upload

Details

unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This vulnerability is fixed in 7.0.3a.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Git / github.com/edm115/unzip-bot

Affected ranges

Type: GIT
Repo: https://github.com/edm115/unzip-bot
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e9889a954f60593f84051d9053bcab4d05ee0df7

Affected versions

2.*

2.0

3.*

3.0

4.*

4.0

4.5

5.*

5.0

6.*

6.0

6.2

6.3

6.3.2

6.3.3

7.*

7.0.0a

7.0.0a-herokufix