VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dc1m-rt7j-w3af

Essentials
Severities (37)
References (39)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dc1m-rt7j-w3af
Aliases	CVE-2025-6176 GHSA-2qfp-q593-8484
Summary	Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation Scrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. Mitigation for this vulnerability needs security enhancement added in brotli v1.2.0.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
epss	0.00037	https://api.first.org/data/v1/epss?cve=CVE-2025-6176
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-2qfp-q593-8484
cvssv3.1	7.5	https://github.com/google/brotli
generic_textual	HIGH	https://github.com/google/brotli
cvssv3.1	7.5	https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627
generic_textual	HIGH	https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627
cvssv3.1	7.5	https://github.com/google/brotli/issues/1327
generic_textual	HIGH	https://github.com/google/brotli/issues/1327
cvssv3.1	7.5	https://github.com/google/brotli/issues/1375
generic_textual	HIGH	https://github.com/google/brotli/issues/1375
cvssv3.1	7.5	https://github.com/google/brotli/pull/1234
generic_textual	HIGH	https://github.com/google/brotli/pull/1234
cvssv3.1	7.5	https://github.com/google/brotli/releases/tag/v1.2.0
generic_textual	HIGH	https://github.com/google/brotli/releases/tag/v1.2.0
cvssv3.1	7.5	https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da
generic_textual	HIGH	https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da
cvssv3.1	7.5	https://github.com/scrapy/scrapy/pull/7134
generic_textual	HIGH	https://github.com/scrapy/scrapy/pull/7134
cvssv3	7.5	https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
cvssv3.1	7.5	https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
generic_textual	HIGH	https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
ssvc	Track	https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-6176
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-6176

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-6176
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6176
		https://github.com/google/brotli
		https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627
		https://github.com/google/brotli/issues/1327
		https://github.com/google/brotli/issues/1375
		https://github.com/google/brotli/pull/1234
		https://github.com/google/brotli/releases/tag/v1.2.0
		https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da
		https://github.com/scrapy/scrapy/pull/7134
		https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0
2408762		https://bugzilla.redhat.com/show_bug.cgi?id=2408762
CVE-2025-6176		https://nvd.nist.gov/vuln/detail/CVE-2025-6176
GHSA-2qfp-q593-8484		https://github.com/advisories/GHSA-2qfp-q593-8484
RHSA-2026:0008		https://access.redhat.com/errata/RHSA-2026:0008
RHSA-2026:0845		https://access.redhat.com/errata/RHSA-2026:0845
RHSA-2026:2042		https://access.redhat.com/errata/RHSA-2026:2042
RHSA-2026:2226		https://access.redhat.com/errata/RHSA-2026:2226
RHSA-2026:2227		https://access.redhat.com/errata/RHSA-2026:2227
RHSA-2026:2228		https://access.redhat.com/errata/RHSA-2026:2228
RHSA-2026:2229		https://access.redhat.com/errata/RHSA-2026:2229
RHSA-2026:2389		https://access.redhat.com/errata/RHSA-2026:2389
RHSA-2026:2399		https://access.redhat.com/errata/RHSA-2026:2399
RHSA-2026:2400		https://access.redhat.com/errata/RHSA-2026:2400
RHSA-2026:2401		https://access.redhat.com/errata/RHSA-2026:2401
RHSA-2026:2455		https://access.redhat.com/errata/RHSA-2026:2455
RHSA-2026:2737		https://access.redhat.com/errata/RHSA-2026:2737
RHSA-2026:2800		https://access.redhat.com/errata/RHSA-2026:2800
RHSA-2026:2844		https://access.redhat.com/errata/RHSA-2026:2844
RHSA-2026:2974		https://access.redhat.com/errata/RHSA-2026:2974
RHSA-2026:2976		https://access.redhat.com/errata/RHSA-2026:2976
RHSA-2026:3392		https://access.redhat.com/errata/RHSA-2026:3392
RHSA-2026:3406		https://access.redhat.com/errata/RHSA-2026:3406
RHSA-2026:3415		https://access.redhat.com/errata/RHSA-2026:3415
RHSA-2026:3417		https://access.redhat.com/errata/RHSA-2026:3417
RHSA-2026:3861		https://access.redhat.com/errata/RHSA-2026:3861
RHSA-2026:4419		https://access.redhat.com/errata/RHSA-2026:4419
RHSA-2026:4465		https://access.redhat.com/errata/RHSA-2026:4465

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6176.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli/issues/1327

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli/issues/1375

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli/pull/1234

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/google/brotli/releases/tag/v1.2.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/scrapy/scrapy/commit/14737e91edc513967f516fc839cc9c8a4f8d91da

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/scrapy/scrapy/pull/7134

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-31T16:15:58Z/ Found at https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-6176

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.08
EPSS Score	0.00028
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:07.693987+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/brotli/CVE-2025-6176.yml	38.0.0