Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Prevent Memory Exhaustion from Decompression Bomb Attacks

  1. Last updated
  2. Save as PDF

Decompression Protection introduces a critical circuit breaker in the Skyhigh Secure Web Gateway (SWG) to defend against decompression bombs, also known as zip bombs. These malicious files use extreme compression to appear small during transit but expand exponentially during processing, with the intent to exhaust system memory (RAM) and disrupt services.

This protection mitigates CVE-2025-6176, which exploits highly efficient compression algorithms such as Brotli. For example, an attacker can compress 80 GiB of data into a file smaller than 64 KB. Because standard security restrictions often only check the size of compressed input, the SWG and downstream clients remain vulnerable to an immediate Out of Memory (OOM) state during decompression. This feature ensures the system inspects the decompressed output size in real-time to prevent such exhaustion.

Dual-Layer Defense Strategy

By enforcing limits at the gateway level, the system provides a two-fold security barrier:

  • Infrastructure Protection (SWG): The gateway prevents itself from crashing or becoming unresponsive, ensuring high availability for all users.
  • Endpoint Protection (Client): The SWG shields the user's browser or application from receiving a payload that would freeze their device or crash their local session.
Key Configuration Settings

Admins can enable these protections by interacting with two specific checkboxes within the management interface:

Setting Function Default Value
Set limit for uncompressed data Establishes a hard cap on the total size a file can reach after decompression. 4096 MiB
Set limit for compression ratio Monitors the efficiency of compression by comparing the uncompressed size to the original compressed size. 1000

Security Impact. If a file attempts to expand beyond the MiB threshold or exceeds the defined ratio (Ratio=Uncompressed Size/Compressed Size), the SWG terminates the process and safely drops the connection. 

Configure decompression protection using either global appliance settings or policy-based controls, depending on your deployment requirements.

Configure Decompression Protection (Global Configuration)

Follow these steps to apply decompression limits across the entire appliance.

  1. Log in to the SWG management interface.
  2. Navigate to Configuration > Appliances.
  3. Select the required appliance.
  4. Go to Proxies (HTTP(S), FTP, SOCKS, ICAP...).
  5. Click Advanced Settings.
  6. Enable Set limit for uncompressed data (content-encoding) (in MiB).
  7. Enter the maximum allowed decompressed size in MiB.
    • Default value: 4096 MiB
  8. Enable Set limit for compression ratio.
  9. Enter the maximum allowed compression ratio.
    • Default value: 1000
  10. Save the configuration.

    2026-02-26_10-27-11.png

The system now enforces decompression size and ratio limits for all proxy traffic processed by the appliance.

Configure Decompression Protection (Policy-Based Configuration)

Follow these steps to apply decompression limits to specific traffic based on user, destination, or media type.

  1. Log in to the SWG management interface.
  2. Go to Policy.
  3. Create a new rule or edit an existing rule.
  4. Select the Enable Proxy Control event.
  5. Choose an existing Proxy Control Parameters container or create a new one.
  6. Inside the container, enable Set limit for uncompressed data (content-encoding)(in MiB).
    • Define the maximum decompressed size in MiB.
  7. Enable Set limit for compression ratio.
    • Define the maximum allowed ratio value.
  8. Save the rule.

    clipboard_ea7b4cfa19097d82056c72b64e911becb.png

IMPORTANT: Place the Proxy Control event at the top of the policy, before any body inspection rules such as Media Type or Gateway Anti-Malware (GAM), to ensure decompression limits are enforced before the system downloads and extracts the full file.

The system now enforces decompression limits only for traffic matching the configured rule criteria.

Decompression Protection Behavior

Decompression bomb attacks do not require authentication and can target any system that processes compressed HTTP content. As compression methods such as Brotli are commonly enabled by default, attackers can deliver highly compressed payloads that expand aggressively during decompression.

If a system validates only the compressed input size, it may process the expanded payload and trigger Out of Memory (OOM) conditions, disrupting proxy services and impacting downstream clients.

Decompression Protection mitigates CVE-2025-6176 by enforcing real-time inspection of decompressed output size and compression ratio. When traffic exceeds configured thresholds, the Secure Web Gateway (SWG) terminates the connection and returns a controlled error response instead of forwarding the payload.

This enforcement protects system memory and maintains service availability.

clipboard_e22ee4fa11f3e78ce7fe503599f8e8041.png

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.