CVE-2025-6176 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Related Weaknesses (CWE)

CWE-400

References

https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

FAQ

What is CVE-2025-6176?

CVE-2025-6176 is a vulnerability with a CVSS score of 7.5 (HIGH). Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to ...

How severe is CVE-2025-6176?

CVE-2025-6176 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-6176?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.