CVE-2025-30160: 
Rust vulnerability analysis and mitigation

A vulnerability (CVE-2025-30160) was identified in Redlib, an alternative private front-end to Reddit, where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. The vulnerability was discovered on March 20, 2025, and has been fixed in version 0.36.0 (NVD, GitHub Advisory).

The vulnerability stems from the system automatically decompressing user-supplied data without enforcing size limits in the restore_preferences mechanism. The issue was introduced in commit 2e95e1f and fixed in commit 15147ce. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The weakness has been categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) (GitHub Advisory).

The vulnerability allows remote attackers with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. This can lead to out-of-memory (OOM) conditions, OS-level resource exhaustion resulting in system instability or crashes, and potential for repeated exploitation keeping the target system in a persistent degraded state. The vulnerability affects all public instances of Redlib (GitHub Advisory).

The vulnerability has been patched in version 0.36.0. Until the patch can be applied, users can implement request size limits at the web server or application level, disable or restrict the restore_preferences route (/settings/encoded-restore) at the reverse-proxy level if not required, and monitor server logs for unusually large or repeated restore_preferences requests and block offending IPs (GitHub Advisory).