CVE-2025-6998

Vulnerability Description

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Related Weaknesses (CWE)

CWE-1333

References

https://fluidattacks.com/advisories/megadeth
https://github.com/gelbphoenix/autocaliweb
https://github.com/janeczku/calibre-web

FAQ

What is CVE-2025-6998?

CVE-2025-6998 is a documented vulnerability. ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter...

How severe is CVE-2025-6998?

CVSS scoring is not yet available for CVE-2025-6998. Check NVD for updates.

Is there a patch for CVE-2025-6998?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.