CVE-2025-6998: 
Python vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability has been identified in the stripwhitespaces() function within cps/stringhelper.py of Calibre Web version 0.6.24 (Nicolette) and Autocaliweb versions 0.7.0 to 0.7.1. The vulnerability, tracked as CVE-2025-6998, allows unauthenticated remote attackers to cause a denial of service condition through specially crafted username parameters during login attempts (Fluid Attacks).

The vulnerability exists in the strip_whitespaces() function which uses a regular expression that is vulnerable to catastrophic backtracking when processing specially crafted input. The function is applied directly to the username parameter during login and as part of the rate-limiting logic via @limiter.limit(), making it exploitable without authentication. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, indicating it is network-accessible and requires no privileges to exploit (Fluid Attacks).

When successfully exploited, the vulnerability causes the backend server to hang for a significant amount of time, resulting in a denial of service condition that affects the application's availability. The attack can be executed by unauthenticated remote attackers, potentially disrupting service for legitimate users (Fluid Attacks).

For Autocaliweb users, the vulnerability has been patched in version 0.7.1. However, there is currently no patch available for the Calibre Web project version 0.6.24. Users of Calibre Web should monitor for updates and consider implementing additional security controls at the network level to protect against unauthenticated access to the login endpoint (Fluid Attacks).