CVE-2025-64509

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-64509

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64509.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64509

Aliases

GHSA-rrx3-2x4g-mq2h

Published

2025-11-10T21:46:11Z

Modified

2025-11-13T02:58:13.931444Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Bugsink vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Details

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.6, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink 2.0.6. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-fc2v-vcwj-269v/CVE-2025-64508.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ]
}

References

https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h

Affected packages

Git / github.com/bugsink/bugsink

Affected ranges

Type

GIT

Repo

https://github.com/bugsink/bugsink

Events

Introduced

Fixed

473d4de6d2de72a3bdee2905f540ce1afb67ce16

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.0.6"
        }
    ]
}

Affected versions

0.*

0.1.0

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.2

0.1.20

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

1.7.3

1.7.5

1.7.6

2.*

2.0.0

2.0.0a1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5