Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

[quote="sgk"]This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434
[quote]Vulnerability description - 
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics   
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP:  CISA-ADP
Base Score: 9.8 CRITICALVector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
[/quote]
Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp[/quote]

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-09-22

To our best knowledge, WinSCP uses zlib library only internally to render PNG toolbar icons loaded from within signed WinSCP binary itself.

So we believe the zlib vulnerability is not exploitable, because zlib-using PNG decode code paths are only used to process trusted, embedded PNG resources, and never for any user-supplied PNG files.

sgk

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-07-30 19:37

This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434

Vulnerability description -
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP: CISA-ADP
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp

Post a reply

Topic review

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Documentation

Support

Associations

Follow Us