CVE-2025-6176 HIGH

CVE-2025-6176: Brotli decompression bomb DoS in scrapy/scrapy

Vendor Scrapy
Product scrapy/scrapy
Weakness CWE-400
Published October 31, 2025
Last update October 31, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Key dates

02Disclosure timeline

October 31, 2025 CVE published
October 31, 2025 Record updated