CVE-2025-6176 Brotli decompression bomb DoS in scrapy/scrapy

🗓️ 31 Oct 2025 00:00:21Reported by @huntr_aiType

CVE-2025-6176: Scrapy vulnerable to Brotli decompression bomb DoS causing memory exhaustion for clients

Reporter	Title	Published	Views	Family All 187
IBM Security Bulletins	Security Bulletin: Muliple security vulnerabilities found in IBM CICS TX Standard.	22 Apr 202614:23	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in brotli affects IBM Netezza Appliance	16 Apr 202611:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in the Base OS image package: Scrapy [CVE-2025-6176]	14 Apr 202615:32	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in brotli affects IBM Netezza Appliance	27 Apr 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: ELM on Hybrid Cloud vulnerabilities addressed in 2.0.0	20 Apr 202609:57	–	ibm
Huntr	Brotli decompression bomb DoS	14 Jun 202518:41	–	huntr
Tenable Nessus	Alibaba Cloud Linux 3 : 0039: brotli (ALINUX3-SA-2026:0039)	5 Mar 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : brotli (ALSA-2026:0845)	21 Jan 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : brotli (ALSA-2026:2042)	5 Feb 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : brotli (ALSA-2026:2389)	11 Feb 202600:00	–	nessus

[
  {
    "vendor": "scrapy",
    "product": "scrapy/scrapy",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

Source	Link
huntr	www.huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0

31 Oct 2025 00:00Current

CVSS 37.5

EPSS0.00476

CWE-400