CVE-2025-64509

HIGH7.5EPSS 0.11%

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

發布日:2025/11/13修改日:2025/11/13

描述

### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). ### Patches Patched in Bugsink 2.0.6 ### References The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink: https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

受影響套件(1)

PyPI/bugsinkfrom 0, < 2.0.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-64509
PATCHhttps://github.com/bugsink/bugsink
WEBhttps://github.com/bugsink/bugsink/commit/1201f754e39265d2aac58edf49dc380bac334388
WEBhttps://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h