CVE-2025-6176

CVSS v2.0

7.8

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Scrapy versions up to 2.13.2

Description Scrapy is susceptible to a denial of service (DoS) attack stemming from an issue in its brotli decompression implementation. The built-in protection against decompression bombs does not effectively address the brotli variant, potentially causing client crashes with as little as 80GB of available memory. This is due to brotli's ability to achieve very high compression ratios with zero-filled data, resulting in substantial memory usage during decompression.

Recommendations Versions prior to 2.13.2 are affected.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2026:0845

BDU:2026-00250

CVE-2025-6176

ECHO-4052-5AE3-2F41

GHSA-2QFP-Q593-8484

OESA-2025-2645

OESA-2025-2667

OESA-2025-2668

OESA-2025-2669

OESA-2025-2670

OESA-2025-2671

RHSA-2026:0008

RHSA-2026:0845

Affected Products

Debian

Scrapy

CVE-2025-6176

Weakness Enumeration

Related Identifiers

Affected Products

References · 42