CVE-2025-6998 in Calibre Webinfo

Summary

by MITRE • 07/24/2025

ReDoS in strip_whitespaces() function in cps/string_helper.py in janeczku Calibre Web 0.6.24 (Nicolette) allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.


ReDoS in strip_whitespaces() function in cps/string_helper.py in gelbphoenix Autocaliweb 0.7.0 on allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/25/2025

The vulnerability CVE-2025-6998 represents a regular expression denial of service flaw affecting two distinct web applications that utilize similar string processing functions. This issue resides within the strip_whitespaces() function located in cps/string_helper.py within the janeczku Calibre Web 0.6.24 application and the gelbphoenix Autocaliweb 0.7.0 application. Both applications are vulnerable to unauthenticated remote attacks that can trigger catastrophic backtracking during the login process through manipulation of the username parameter. The core technical flaw stems from poorly constructed regular expressions that fail to handle malicious input patterns efficiently, leading to exponential execution time growth when processing specially crafted strings.

The operational impact of this vulnerability extends beyond simple service disruption as it provides attackers with a straightforward method to compromise system availability. During the authentication process, when users submit login credentials, the system processes the username through the vulnerable strip_whitespaces() function. Malicious actors can construct username parameters containing regular expression patterns designed to trigger backtracking behavior in the regex engine. This results in the system consuming excessive computational resources and potentially hanging or crashing during the authentication attempt, effectively creating a denial of service condition that affects legitimate users attempting to access the application.

From a security framework perspective, this vulnerability maps directly to CWE-400, which specifically addresses Regular Expression Denial of Service vulnerabilities in software applications. The attack pattern aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion. The vulnerability demonstrates poor input validation practices and inadequate sanitization of user-supplied data, particularly in authentication pathways where such processing occurs. Both affected applications fail to implement proper regex complexity limits or input length restrictions that would prevent malicious patterns from triggering the catastrophic backtracking behavior.

Mitigation strategies for this vulnerability require immediate attention from system administrators and developers. The primary remediation involves either refactoring the regular expression patterns in the strip_whitespaces() function to eliminate vulnerable constructs or implementing input validation that limits the complexity and length of strings processed by the regex engine. Additionally, developers should consider implementing rate limiting mechanisms at the authentication layer to prevent abuse of this vulnerability through automated attack scripts. The recommended approach includes replacing problematic regex patterns with more efficient alternatives or implementing proper timeout mechanisms that prevent excessive processing time. Organizations should also consider implementing intrusion detection systems that can identify and block suspicious login attempts containing known malicious regex patterns, providing an additional layer of defense against exploitation attempts.

Responsible

Fluid Attacks

Reservation

07/02/2025

Disclosure

07/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00828

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!