CVE-2025-6176Uncontrolled Resource Consumption in Scrapy

CWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 90.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
ScrapyDebian Python-scrapyScrapy Scrapy
Timeline
PublishedOct 31

Description

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

PyPIscrapy/scrapy< 2.13.4
debiandebian/python-scrapy< python-scrapy 2.13.4-1 (forky)
CVEListV5scrapy/scrapy_scrapyunspecifiedlatest

🔴Vulnerability Details

3
OSV
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation2025-10-31
GHSA
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation2025-10-31
OSV
CVE-2025-6176: Scrapy versions up to 22025-10-31

💥Exploits & PoCs

1
Exploit-DB
Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)2025-07-22

📋Vendor Advisories

2
Red Hat
Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS2025-10-31
Debian
CVE-2025-6176: python-scrapy - Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack ...2025

💬Community

1
Bugzilla
CVE-2025-6176 Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS2025-10-31