Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-6176

Опубликовано: 31 окт. 2025
Источник: debian

Описание

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python-scrapyfixed2.13.4-1package

Примечания

  • https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

  • Fixed by: https://github.com/scrapy/scrapy/commit/c44b8df6c7f8a6650c9655e271da2ba3a764fa15 (2.13.4)

  • To effectively mitigate the issue python-scrapy needs to use brotli >= 1.2.0

  • adding support for limiting output size in Python streaming decompression.

  • Support in brotli: https://bugs.debian.org/1122212

  • https://github.com/google/brotli/pull/1234

  • Negligible security impact

Связанные уязвимости

ubuntu логотип

CVE-2025-6176

CVSS3: 7.5
ubuntu
3 месяца назад

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

nvd логотип

CVE-2025-6176

CVSS3: 7.5
nvd
3 месяца назад

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

rocky логотип

RLSA-2026:0845

rocky
18 дней назад

Important: brotli security update

github логотип

GHSA-2qfp-q593-8484

CVSS3: 7.5
github
3 месяца назад

Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation

oracle-oval логотип

ELSA-2026-2042

oracle-oval
4 дня назад

ELSA-2026-2042: brotli security update (IMPORTANT)