CVE-2025-6176

NameCVE-2025-6176
DescriptionScrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-scrapy (PTS)bullseye2.4.1-2+deb11u1vulnerable
bookworm2.8.0-2vulnerable
trixie2.12.0-2vulnerable
forky, sid2.13.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-scrapysource(unstable)2.13.4-1unimportant

Notes

https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
Fixed by: https://github.com/scrapy/scrapy/commit/c44b8df6c7f8a6650c9655e271da2ba3a764fa15 (2.13.4)
Negligible security impact
Search for package or bug name: Reporting problems