CVE-2025-6176

EUVD-2025-37237

31.10.2025, 00:15

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

python-scrapy

bookworm	unimportant
bullseye	unimportant
forky	2.15.1-1 fixed
sid	2.16.0-1 fixed
trixie	unimportant

Ubuntu Releases

Ubuntu Product

Codename

python-scrapy

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
resolute	needs-triage
xenial	ignored

Red Hat Enterprise Linux Releases

Red Hat Product

Release

brotli

RHEL 8	0:1.0.6-4.el8_10 fixed
RHEL 8.4 AUS	0:1.0.6-4.el8_4 fixed
RHEL 8.6 AUS	0:1.0.6-4.el8_6 fixed
RHEL 8.6 E4S	0:1.0.6-4.el8_6 fixed
RHEL 8.6 TUS	0:1.0.6-4.el8_6 fixed
RHEL 8.8 E4S	0:1.0.6-4.el8_8 fixed
RHEL 8.8 TUS	0:1.0.6-4.el8_8 fixed
RHEL 9	0:1.0.9-9.el9_7 fixed

brotli-devel

RHEL 8	0:1.0.6-4.el8_10 fixed
RHEL 8.4 AUS	0:1.0.6-4.el8_4 fixed
RHEL 8.6 AUS	0:1.0.6-4.el8_6 fixed
RHEL 8.6 E4S	0:1.0.6-4.el8_6 fixed
RHEL 8.6 TUS	0:1.0.6-4.el8_6 fixed
RHEL 8.8 E4S	0:1.0.6-4.el8_8 fixed
RHEL 8.8 TUS	0:1.0.6-4.el8_8 fixed
RHEL 9	0:1.0.9-9.el9_7 fixed

libbrotli

RHEL 9

0:1.0.9-9.el9_7

fixed

python3-brotli

RHEL 8	0:1.0.6-4.el8_10 fixed
RHEL 8.4 AUS	0:1.0.6-4.el8_4 fixed
RHEL 8.6 AUS	0:1.0.6-4.el8_6 fixed
RHEL 8.6 E4S	0:1.0.6-4.el8_6 fixed
RHEL 8.6 TUS	0:1.0.6-4.el8_6 fixed
RHEL 8.8 E4S	0:1.0.6-4.el8_8 fixed
RHEL 8.8 TUS	0:1.0.6-4.el8_8 fixed
RHEL 9	0:1.0.9-9.el9_7 fixed

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0