CVE-2025-64509

HIGH7.5EPSS 0.11%

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Published: 11/13/2025Modified: 11/13/2025

Description

### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). ### Patches Patched in Bugsink 2.0.6 ### References The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink: https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

Affected packages (1)

PyPI/bugsinkfrom 0, < 2.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64509
PATCHhttps://github.com/bugsink/bugsink
WEBhttps://github.com/bugsink/bugsink/commit/1201f754e39265d2aac58edf49dc380bac334388
WEBhttps://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h