OESA-2025-2671 brotli security update

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It...

OESA-2025-2670 brotli security update

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It...

OESA-2025-2668 brotli security update

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It...

OESA-2025-2669 brotli security update

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It...

OESA-2025-2667 brotli security update

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It...

Siemens SIMATIC and SCALANCE Integer Overflow to Buffer Overflow (CVE-2025-0725)

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow. This plugin only works with Tenable.ot. Please...

Siemens SIMATIC S7-1500 Allocation of Resources Without Limits or Throttling (CVE-2023-23916)

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable links in this...

CVE-2025-64509

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups JavaScript...

Unlimited-memory decompression leads to DoS bypassing `--http-max-input-size`

This report is not public...

Allocation of Resources Without Limits or Throttling

Overview bugsink is a Self-hosted Error Tracking Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Brotli Decompression process. An attacker can cause the server to exhaust available memory by sending highly compressed Brotli streams,...

Allocation of Resources Without Limits or Throttling

Overview bugsink is a Self-hosted Error Tracking Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Brotli Decompression process. An attacker can cause excessive CPU consumption by submitting a specially crafted Brotli-compressed...

BIT-OPENTELEMETRY-COLLECTOR-2024-36129 OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC

The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue...

PT-2025-46207

Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.0.5 Description Bugsink is a self-hosted error tracking tool susceptible to a Denial of Service. Specifically, specially crafted brotli compressed data streams, known as “bombs” highly compressed brotli streams...

Python Library Brotli <= 1.1.0 DoS

The detected version of the Brotli Python package, Brotli, is prior or equal to 1.1.0. It is, therefore, affected by a denial of service DoS vulnerability due to decompression. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

PT-2025-48205

Name of the Vulnerable Software and Affected Versions Suricata versions prior to 7.0.13 Suricata versions prior to 8.0.2 Description Suricata is a network IDS, IPS and NSM engine. Versions of Suricata prior to 7.0.13 and 8.0.2 are susceptible to a stack overflow that can cause the software to cra...

PT-2025-48199

Name of the Vulnerable Software and Affected Versions Suricata versions 8.0.0 through 8.0.1 Description Suricata is a network IDS, IPS and NSM engine. Versions from 8.0.0 through 8.0.1 are susceptible to unbounded memory growth during decompression of compressed HTTP data. Disabling LZMA...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-990369)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-990369 advisory. In the Linux kernel, the following vulnerability has been resolved: jffs2: Prevent rtime decompress memory corruption The rtime decompression routine does not fully...

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989702)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-989702 advisory. In the Linux kernel, the following vulnerability has been resolved: jffs2: Prevent rtime decompress memory corruption The rtime decompression routine does not fully...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF007, 24.0.1-IF005 and 25.0.0-IF002. Vulnerability Details CVEID:CVE-2025-58057 DESCRIPTION: Netty is an asynchronous...

CVE-2025-6176

Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...