CVE-2025-6176

CVSS v2.0

7.8

High

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Scrapy versions up to 2.13.2

Description Scrapy is susceptible to a denial of service (DoS) attack stemming from an issue in its brotli decompression implementation. The built-in protection against decompression bombs does not effectively address the brotli variant, potentially causing client crashes with as little as 80GB of available memory. This is due to brotli's ability to achieve very high compression ratios with zero-filled data, resulting in substantial memory usage during decompression.

Recommendations Versions prior to 2.13.2 are affected.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2026:0845

ALSA-2026:2042

ALSA-2026:2389

BDU:2026-00250

CVE-2025-6176

ECHO-4052-5AE3-2F41

GHSA-2QFP-Q593-8484

OESA-2025-2645

OESA-2025-2667

OESA-2025-2668

OESA-2025-2669

OESA-2025-2670

OESA-2025-2671

OPENSUSE-SU-2025:15731-1

OPENSUSE-SU-2025:15732-1

OPENSUSE-SU-2026:10227-1

RHSA-2026:0008

RHSA-2026:0845

RHSA-2026:2042

RHSA-2026:2226

RHSA-2026:2227

RHSA-2026:2228

RHSA-2026:2229

RHSA-2026:2389

RHSA-2026:2399

RHSA-2026:2400

RHSA-2026:2401

RHSA-2026:2455

Affected Products

Debian

Rocky Linux

Scrapy

CVE-2025-6176

Weakness Enumeration

Related Identifiers

Affected Products

References · 57