CVE-2025-6176 in Scrapy
Summary
by MITRE • 10/31/2025
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2025-6176 represents a critical denial of service weakness in Scrapy web scraping framework versions prior to 2.13.3. This flaw specifically targets the brotli decompression functionality that Scrapy employs when processing compressed HTTP responses from web servers. The issue arises from insufficient validation mechanisms within the decompression pipeline that fail to properly guard against decompression bomb attacks targeting the brotli compression algorithm. Security researchers have identified that attackers can exploit this weakness by crafting malicious responses that utilize brotli compression with extremely high ratios, particularly when dealing with zero-filled data patterns that can achieve compression rates exceeding 1000:1.
The technical implementation flaw stems from the absence of adequate memory consumption limits during brotli decompression operations within Scrapy's processing pipeline. When a client encounters a brotli-compressed response, the decompression process begins without proper bounds checking on the expected output size relative to available memory resources. This vulnerability manifests when the decompression algorithm encounters data that can be compressed to minimal sizes but decompresses to enormous memory footprints, creating a scenario where a few kilobytes of compressed data can trigger gigabytes of memory allocation. The protection mechanisms that typically safeguard against decompression bombs in other compression formats prove ineffective against this specific brotli variant, as the algorithm's mathematical properties allow for extreme compression ratios that bypass traditional size-based detection systems.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire scraping operations and system stability. Remote attackers can exploit this weakness by sending specially crafted brotli-compressed responses to Scrapy clients, causing them to consume excessive memory resources and ultimately leading to process termination or system instability. Systems with limited memory capacity, particularly those running on resource-constrained environments, face the highest risk of complete system failure or crash. The vulnerability affects any Scrapy deployment that processes HTTP responses containing brotli compression, making it particularly dangerous for large-scale scraping operations that may encounter maliciously crafted responses from various sources. This issue can be exploited in both direct attacks against scraping infrastructure and through indirect means such as compromised websites that serve as attack vectors.
Mitigation strategies for CVE-2025-6176 require immediate implementation of version updates to Scrapy 2.13.3 or later, which contain fixed decompression handling routines with appropriate memory limits. Organizations should also consider implementing additional network-level protections such as proxy configurations that enforce maximum response size limits before decompression occurs. Security teams should monitor their Scrapy deployments for any signs of unusual memory consumption patterns that might indicate exploitation attempts. The vulnerability aligns with CWE-400, which addresses unrestricted resource consumption, and maps to ATT&CK technique T1499.004 for denial of service through resource exhaustion. Additionally, implementing proper input validation and decompression timeout mechanisms can provide defense-in-depth protection, while network segmentation and monitoring solutions can help detect and prevent exploitation attempts targeting this specific weakness in web scraping frameworks.