Bug 2408762 (CVE-2025-6176)

Summary:	CVE-2025-6176 Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	achadha, amctagga, anthomas, aoconnor, asoldano, bbaranow, bmaxwell, bniver, brian.stansberry, carogers, cchiang, csutherl, darran.lofthouse, dosoudil, dranck, dschmidt, dymurray, ehelms, erezende, flucifre, ggainey, gmeno, groman, haoli, hkataria, ibolton, istudens, ivassile, iweiss, jajackso, jcammara, jclere, jmatthew, jmitchel, jmontleo, jneedle, juwatts, kegrant, koliveir, kshier, lbrazdil, mabashia, mattdavi, mbenjamin, mhackett, mhulan, mminar, mosmerov, msvehla, nmoumoul, nwallace, osousa, pbraun, pcreech, pesilva, pgaikwad, pjindal, plodge, pmackay, rbiba, rchan, rjohnson, rstancel, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, sostapov, sseago, sskracic, stcannon, teagle, tfister, thavo, tmalecek, tom.jenkinson, tpfromme, vchlup, vereddy, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	Scrapy are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2411734, 2411735, 2419492, 2411733, 2419490, 2419491, 2419493
Bug Blocks:

Description OSIDB Bzimport 2025-10-31 01:01:20 UTC

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Comment 3 errata-xmlrpc 2026-01-05 01:17:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:0008 https://access.redhat.com/errata/RHSA-2026:0008

Comment 5 errata-xmlrpc 2026-01-20 12:02:29 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:0845 https://access.redhat.com/errata/RHSA-2026:0845

Comment 6 errata-xmlrpc 2026-02-05 09:36:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2042 https://access.redhat.com/errata/RHSA-2026:2042

Comment 7 errata-xmlrpc 2026-02-09 01:33:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2226 https://access.redhat.com/errata/RHSA-2026:2226

Comment 8 errata-xmlrpc 2026-02-09 02:14:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2228 https://access.redhat.com/errata/RHSA-2026:2228

Comment 9 errata-xmlrpc 2026-02-09 02:16:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2229 https://access.redhat.com/errata/RHSA-2026:2229

Comment 10 errata-xmlrpc 2026-02-09 02:24:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2227 https://access.redhat.com/errata/RHSA-2026:2227

Comment 11 errata-xmlrpc 2026-02-10 07:36:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2389 https://access.redhat.com/errata/RHSA-2026:2389

Comment 12 errata-xmlrpc 2026-02-10 09:04:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:2401 https://access.redhat.com/errata/RHSA-2026:2401

Comment 13 errata-xmlrpc 2026-02-10 09:06:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2399 https://access.redhat.com/errata/RHSA-2026:2399

Comment 14 errata-xmlrpc 2026-02-10 09:10:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2400 https://access.redhat.com/errata/RHSA-2026:2400

Comment 15 errata-xmlrpc 2026-02-10 16:15:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2455 https://access.redhat.com/errata/RHSA-2026:2455

Comment 17 errata-xmlrpc 2026-02-25 14:32:32 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:2976 https://access.redhat.com/errata/RHSA-2026:2976

Comment 18 errata-xmlrpc 2026-02-26 14:42:25 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:2974 https://access.redhat.com/errata/RHSA-2026:2974

Comment 19 errata-xmlrpc 2026-03-04 08:53:06 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:3417 https://access.redhat.com/errata/RHSA-2026:3417

Comment 20 errata-xmlrpc 2026-03-04 15:35:31 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:3392 https://access.redhat.com/errata/RHSA-2026:3392

Comment 21 errata-xmlrpc 2026-03-05 11:24:34 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:3415 https://access.redhat.com/errata/RHSA-2026:3415

Comment 22 errata-xmlrpc 2026-03-12 02:48:38 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:3861 https://access.redhat.com/errata/RHSA-2026:3861

Comment 23 errata-xmlrpc 2026-03-19 05:48:56 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:4419 https://access.redhat.com/errata/RHSA-2026:4419

Comment 24 errata-xmlrpc 2026-03-19 07:41:05 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:4465 https://access.redhat.com/errata/RHSA-2026:4465

Comment 25 errata-xmlrpc 2026-03-26 20:25:47 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:5970 https://access.redhat.com/errata/RHSA-2026:5970

Comment 26 errata-xmlrpc 2026-03-26 20:26:29 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:5971 https://access.redhat.com/errata/RHSA-2026:5971