CVE-2025-64508
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-64508
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64508.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-64508
- Aliases
- Published
- 2025-11-10T21:44:24Z
- Modified
- 2025-11-14T15:50:37.623116Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input
- Details
-
Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the
DSNis known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version2.0.5. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509. - Database specific
{ "cwe_ids": [ "CWE-770" ] }- References
-
- https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5
- https://github.com/bugsink/bugsink/pull/266
- https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v
- https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627
- https://github.com/google/brotli/issues/1327
- https://github.com/google/brotli/issues/1375
- https://github.com/google/brotli/pull/1234
- https://github.com/google/brotli/releases/tag/v1.2.0
Affected packages
Git / github.com/google/brotli
Affected ranges
- Type
- GIT
- Repo
- https://github.com/google/brotli
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
Other
dev/null
go/brotli/v1.*
go/brotli/v1.1.1-rc0
go/cbrotli/v1.*
go/cbrotli/v1.1.0
go/cbrotli/v1.1.0.bcr.0
go/cbrotli/v1.1.0.bcr.1
go/cbrotli/v1.1.1-rc0
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.6.0
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.0rc
v1.2.0rc1
v1.2.0rc2
Git / github.com/bugsink/bugsink
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bugsink/bugsink
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.0
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.2
0.1.20
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.6.3
1.7.0
1.7.1
1.7.2
1.7.3
1.7.5
1.7.6
2.*
2.0.0
2.0.0a1
2.0.1
2.0.2
2.0.3
2.0.4