Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by :: Support Forum

sgk
Joined:: 2025-07-30
Posts:: 1

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-07-30 19:37

This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434

Vulnerability description -
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP: CISA-ADP
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,264
Location:: Prague, Czechia

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

2025-08-01

WinSCP does not use zlib library:
WinSCP and zlib

Reply with quote

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Documentation

Support

Associations

Follow Us