Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup upload

CVE	CVE-2026-42886
State	PUBLISHED
Assigner	GitHub_M
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-11 20:25:45 UTC
Updated	2026-05-12 14:50:18 UTC
Description	Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely into memory using zip.entryData(), with no limit on the decompressed size. The upload middleware also has no file size limit. An admin user can upload a crafted ZIP containing a highly compressed details entry that, when decompressed, consumes hundreds of megabytes or gigabytes of memory, crashing the server process via out-of-memory. This vulnerability is fixed in 2.32.2.

Primary CVSS: v3.1 4.9 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-409 | CWE-409 CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`
3.1	CNA	DECLARED	4.9	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Source	Vendor	Product	Version	Platforms
CNA	Advplyr	Audiobookshelf	affected < 2.33.2	Not specified

Reference	Source	Link	Tags
github.com/advplyr/audiobookshelf/security/advisories/GHSA-4jq4-rvq8-j26h	134c704f-9b21-4f2e-91b3-4a467353bcc0	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.