CVE-2024-8088 | Infinite loop when iterating over zip archive entry names from zipfile.Path

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Published: 2024-08-22 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2024-8088 is rated Moderate Risk (59/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.27%). Core evidence: EPSS rose +1.09% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-8088

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.18% 1.27% +1.09%
2 2026-02-21 0.33% 0.18% -0.15%
3 2026-01-11 0.33%

Full EPSS history (17 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-8088

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.7 4.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:X)
Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X)
Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X)
Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X)
Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X)
Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X)
Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X)
Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X)
Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X)
Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X)
Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X)
Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X)
Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:N)
Negligible: impact meets the IEC 61508 negligible safety consequence category.
Automatable (supplemental) (AU:N)
No: attackers cannot reliably automate reconnaissance through exploitation for this issue.
Recovery (supplemental) (R:U)
User: manual user intervention is needed to recover services.
Value density (supplemental) (V:X)
Not evaluated.
Vulnerability response effort (supplemental) (RE:L)
Low/trivial response effort (documentation, simple configuration, low-touch guidance).
Provider urgency (supplemental) (U:X)
Not evaluated.
[email protected]

Weakness enumeration for CVE-2024-8088

OS Trackers for CVE-2024-8088

vendor priority summary link
alpine CVE-2024-8088: 1 source package rows (python3); 7 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 0. https://security.alpinelinux.org/vuln/CVE-2024-8088
debian unimportant CVE-2024-8088 unimportant priority: Debian including 5 source packages (pypy3, python2.7, python3.11, python3.13, python3.9), 11 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10, open 1. https://security-tracker.debian.org/tracker/CVE-2024-8088
gentoo high CVE-2024-8088: 1 GLSA(s) (202506-07), 2 atom(s) (dev-lang/pypy, dev-lang/python); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-8088
redhat medium https://access.redhat.com/security/cve/CVE-2024-8088
suse medium CVE-2024-8088 severity moderate: SUSE including 490 source package names (0.0.17-1.1:libpython3_11-1_0-3.11.10-150600.3.6.1, 0.0.17-1.1:python311-base-3.11.10-150600.3.6.1, …), 1397 product×package rows across 234 product lines (Container containers/apache-pulsar, Container containers/lmcache-lmstack-router, … (234 product lines)): Fixed 948, Known Affected 231, Known Not Affected 218. https://www.suse.com/security/cve/CVE-2024-8088/
ubuntu medium CVE-2024-8088 medium priority: Ubuntu including 11 source packages (python2.7, python3.10, …), 86 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 55, not-affected 19, needs-triage 6, released 5, ignored 1. https://ubuntu.com/security/CVE-2024-8088

Affected software / configurations for CVE-2024-8088

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2024-8088

URL Tags
https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1
https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6
https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e
https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814
https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4
https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64
https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a
https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7
https://github.com/python/cpython/commit/9cd03263100ddb1657826cc4a71470786cab3932
https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea
https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798
https://github.com/python/cpython/issues/122905
https://github.com/python/cpython/issues/123270
https://github.com/python/cpython/pull/122906
https://mail.python.org/archives/list/[email protected]/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
http://www.openwall.com/lists/oss-security/2024/08/22/1
http://www.openwall.com/lists/oss-security/2024/08/22/4
http://www.openwall.com/lists/oss-security/2024/08/23/1
http://www.openwall.com/lists/oss-security/2024/08/23/2
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20241011-0010/
cvelogic Threat Intelligence