Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-gwc3-dztv-37dw

Summary

Calibre Web and Autocaliweb have a ReDoS vulnerability
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Aliases

alias	CVE-2025-6998

alias	GHSA-2g7m-ph9x-7q7m

Fixed_packages

Affected_packages

url pkg:pypi/calibreweb@0.6.12

purl pkg:pypi/calibreweb@0.6.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-6z85-9d5x-nyaq

vulnerability	VCID-9jsz-tc58-2ud8

vulnerability	VCID-am1q-9mhn-c7fr

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-c5yg-2q1m-qkf6

vulnerability	VCID-g6g1-rcqv-wkdj

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-hsbf-rfcu-qyaq

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-kekh-f74c-m7bt

vulnerability	VCID-kswt-bt4h-nbdf

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-mayx-3wtu-nkbp

vulnerability	VCID-s28v-vbvy-3bgb

vulnerability	VCID-xmnj-teby-fygk

vulnerability	VCID-y3wa-7wgk-3khp

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.12

url pkg:pypi/calibreweb@0.6.13

purl pkg:pypi/calibreweb@0.6.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-6z85-9d5x-nyaq

vulnerability	VCID-9jsz-tc58-2ud8

vulnerability	VCID-am1q-9mhn-c7fr

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-c5yg-2q1m-qkf6

vulnerability	VCID-g6g1-rcqv-wkdj

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-hsbf-rfcu-qyaq

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-kekh-f74c-m7bt

vulnerability	VCID-kswt-bt4h-nbdf

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-mayx-3wtu-nkbp

vulnerability	VCID-s28v-vbvy-3bgb

vulnerability	VCID-xmnj-teby-fygk

vulnerability	VCID-y3wa-7wgk-3khp

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.13

url pkg:pypi/calibreweb@0.6.14

purl pkg:pypi/calibreweb@0.6.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-6z85-9d5x-nyaq

vulnerability	VCID-9jsz-tc58-2ud8

vulnerability	VCID-am1q-9mhn-c7fr

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-c5yg-2q1m-qkf6

vulnerability	VCID-g6g1-rcqv-wkdj

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-hsbf-rfcu-qyaq

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-kekh-f74c-m7bt

vulnerability	VCID-kswt-bt4h-nbdf

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-mayx-3wtu-nkbp

vulnerability	VCID-s28v-vbvy-3bgb

vulnerability	VCID-xmnj-teby-fygk

vulnerability	VCID-y3wa-7wgk-3khp

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.14

url pkg:pypi/calibreweb@0.6.15

purl pkg:pypi/calibreweb@0.6.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-6z85-9d5x-nyaq

vulnerability	VCID-9jsz-tc58-2ud8

vulnerability	VCID-am1q-9mhn-c7fr

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-g6g1-rcqv-wkdj

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-kekh-f74c-m7bt

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-s28v-vbvy-3bgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.15

url pkg:pypi/calibreweb@0.6.16

purl pkg:pypi/calibreweb@0.6.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-g6g1-rcqv-wkdj

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-kekh-f74c-m7bt

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-s28v-vbvy-3bgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.16

url pkg:pypi/calibreweb@0.6.17

purl pkg:pypi/calibreweb@0.6.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-jcpd-2fkh-mkc1

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-s28v-vbvy-3bgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.17

url pkg:pypi/calibreweb@0.6.18

purl pkg:pypi/calibreweb@0.6.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-s28v-vbvy-3bgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.18

url pkg:pypi/calibreweb@0.6.19

purl pkg:pypi/calibreweb@0.6.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-bkzx-fvcv-t3g8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-m8wg-f36t-pygt

vulnerability	VCID-s28v-vbvy-3bgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.19

url pkg:pypi/calibreweb@0.6.20

purl pkg:pypi/calibreweb@0.6.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-m8wg-f36t-pygt

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.20

url pkg:pypi/calibreweb@0.6.21

purl pkg:pypi/calibreweb@0.6.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

vulnerability	VCID-m8wg-f36t-pygt

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.21

url pkg:pypi/calibreweb@0.6.22

purl pkg:pypi/calibreweb@0.6.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.22

url pkg:pypi/calibreweb@0.6.23

purl pkg:pypi/calibreweb@0.6.23

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.23

url pkg:pypi/calibreweb@0.6.24

purl pkg:pypi/calibreweb@0.6.24

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4xd2-y3tq-ckh8

vulnerability	VCID-gb1g-yf4f-tygr

vulnerability	VCID-gwc3-dztv-37dw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/calibreweb@0.6.24

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-6998

reference_id

reference_type

scores

value	0.00202
scoring_system	epss
scoring_elements	0.423
published_at	2026-06-05T12:55:00Z

value	0.00202
scoring_system	epss
scoring_elements	0.42283
published_at	2026-06-07T12:55:00Z

value	0.00202
scoring_system	epss
scoring_elements	0.42311
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-6998

reference_url

https://fluidattacks.com/advisories/megadeth

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/

url

https://fluidattacks.com/advisories/megadeth

reference_url

https://github.com/gelbphoenix/autocaliweb

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/

url

https://github.com/gelbphoenix/autocaliweb

reference_url

https://github.com/janeczku/calibre-web

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-24T19:50:08Z/

url

https://github.com/janeczku/calibre-web

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-6998

reference_id

CVE-2025-6998

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-6998

reference_url	https://github.com/advisories/GHSA-2g7m-ph9x-7q7m
reference_id	GHSA-2g7m-ph9x-7q7m
reference_type
scores
url	https://github.com/advisories/GHSA-2g7m-ph9x-7q7m

Weaknesses

cwe_id	1333
name	Inefficient Regular Expression Complexity
description	The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwc3-dztv-37dw

Vulnerability Instance