Home > Vulnerability Database > CVE-2025-6176

Mend.io Vulnerability Database

CVE-2025-6176

Good to know:

Date: October 30, 2025

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Severity Score

7.5

Related Resources (12)

Url: https://github.com/google/brotli/pull/1234

Url: https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

Url: https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627

Url: https://github.com/github/advisory-database/pull/6380

Url: https://github.com/google/brotli/issues/1327#issuecomment-3479462458

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-6176

Url: https://github.com/google/brotli/releases/tag/v1.2.0

Url: https://github.com/google/brotli/issues/1375

Url: https://github.com/scrapy/scrapy/pull/7134

Url: https://github.com/google/brotli/issues/1327#issuecomment-3457434715

Url: https://github.com/google/brotli

Url: https://www.mend.io/vulnerability-database/CVE-2025-6176

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version brotli - 1.2.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-6176

Good to know:

Date: October 30, 2025

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?