PT-2025-46207 · Bugsink · Bugsink
Published
2025-11-10
·
Updated
2025-11-13
·
CVE-2025-64508
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Bugsink versions prior to 2.0.5
Description
Bugsink is a self-hosted error tracking tool susceptible to a Denial of Service. Specifically, specially crafted brotli compressed data streams, known as “bombs” (highly compressed brotli streams containing many zeros), can be sent to the server. The server attempts to decompress these streams before applying memory limits, leading to memory exhaustion and a denial of service. This exploitation requires knowledge of the
DSN. This issue is distinct from a related brotli problem, GHSA-rrx3-2x4g-mq2h.Recommendations
Update Bugsink to version 2.0.5 or later.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bugsink