Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-6176
CVE-2025-6176:
Python vulnerability analysis and mitigation
Overview
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The vulnerability was discovered and disclosed on October 30, 2025, and is tracked as CVE-2025-6176 (NVD).
Technical details
The vulnerability stems from a failure in the protection mechanism against decompression bombs specifically for the brotli variant. The issue arises because brotli can achieve extremely high compression ratios for zero-filled data, which leads to excessive memory consumption during decompression. The vulnerability has been assigned a CVSS v3.0 base score of 7.5 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high-severity issue with network accessibility and no required privileges or user interaction (NVD).
Impact
When exploited, this vulnerability allows remote servers to crash clients with less than 80GB of available memory. The attack specifically targets the resource consumption aspect of the system, leading to denial of service conditions. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) (NVD).
Additional resources
Source: This report was generated using AI
Related Python vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management