CVE-2025-6176 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-6176 Interim 1 3 2026-03-05T01:30:20Z current 2025-11-01T01:03:38Z 2026-03-05T01:30:20Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-6176 Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/suse-liberty-linux-updates/2026-February/002492.html E-Mail link for RHSA-2026:2389 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Liberty Linux 8 openSUSE Tumbleweed brotli-1.0.6-4.el8_10 brotli-devel-1.0.6-4.el8_10 python-Scrapy-doc-2.13.3-2.1 python3-brotli-1.0.6-4.el8_10 python311-Brotli-1.2.0-1.1 python311-Scrapy-2.13.3-2.1 python311-py7zr-1.1.0-1.1 python312-Brotli-1.2.0-1.1 python312-Scrapy-2.13.3-2.1 python312-py7zr-1.1.0-1.1 python313-Brotli-1.2.0-1.1 python313-Scrapy-2.13.3-2.1 python313-py7zr-1.1.0-1.1 brotli-1.0.6-4.el8_10 as a component of SUSE Liberty Linux 8 brotli-devel-1.0.6-4.el8_10 as a component of SUSE Liberty Linux 8 python3-brotli-1.0.6-4.el8_10 as a component of SUSE Liberty Linux 8 python-Scrapy-doc-2.13.3-2.1 as a component of openSUSE Tumbleweed python311-Brotli-1.2.0-1.1 as a component of openSUSE Tumbleweed python311-Scrapy-2.13.3-2.1 as a component of openSUSE Tumbleweed python311-py7zr-1.1.0-1.1 as a component of openSUSE Tumbleweed python312-Brotli-1.2.0-1.1 as a component of openSUSE Tumbleweed python312-Scrapy-2.13.3-2.1 as a component of openSUSE Tumbleweed python312-py7zr-1.1.0-1.1 as a component of openSUSE Tumbleweed python313-Brotli-1.2.0-1.1 as a component of openSUSE Tumbleweed python313-Scrapy-2.13.3-2.1 as a component of openSUSE Tumbleweed python313-py7zr-1.1.0-1.1 as a component of openSUSE Tumbleweed Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. CVE-2025-6176 SUSE Liberty Linux 8:brotli-1.0.6-4.el8_10 SUSE Liberty Linux 8:brotli-devel-1.0.6-4.el8_10 SUSE Liberty Linux 8:python3-brotli-1.0.6-4.el8_10 openSUSE Tumbleweed:python-Scrapy-doc-2.13.3-2.1 openSUSE Tumbleweed:python311-Brotli-1.2.0-1.1 openSUSE Tumbleweed:python311-Scrapy-2.13.3-2.1 openSUSE Tumbleweed:python311-py7zr-1.1.0-1.1 openSUSE Tumbleweed:python312-Brotli-1.2.0-1.1 openSUSE Tumbleweed:python312-Scrapy-2.13.3-2.1 openSUSE Tumbleweed:python312-py7zr-1.1.0-1.1 openSUSE Tumbleweed:python313-Brotli-1.2.0-1.1 openSUSE Tumbleweed:python313-Scrapy-2.13.3-2.1 openSUSE Tumbleweed:python313-py7zr-1.1.0-1.1 moderate