{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-6176","title":"Title"},{"category":"description","text":"Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-6176","url":"https://www.suse.com/security/cve/CVE-2025-6176"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1252945 for CVE-2025-6176","url":"https://bugzilla.suse.com/1252945"},{"category":"external","summary":"Advisory link for RHSA-2026:2389","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2026-February/002492.html"}],"title":"SUSE CVE CVE-2025-6176","tracking":{"current_release_date":"2026-02-23T00:27:21Z","generator":{"date":"2025-11-01T04:02:01Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-6176","initial_release_date":"2025-11-01T04:02:01Z","revision_history":[{"date":"2025-11-01T04:02:01Z","number":"2","summary":"Current version"},{"date":"2025-11-13T00:45:03Z","number":"3","summary":"Current version"},{"date":"2026-02-12T00:40:28Z","number":"4","summary":"more updates released,references added"},{"date":"2026-02-23T00:27:21Z","number":"5","summary":"more updates released"}],"status":"interim","version":"5"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Liberty Linux 8","product":{"name":"SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8","product_identification_helper":{"cpe":"cpe:/o:suse:sll:8"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"brotli-1.0.6-4.el8_10","product":{"name":"brotli-1.0.6-4.el8_10","product_id":"brotli-1.0.6-4.el8_10","product_identification_helper":{"cpe":"cpe:2.3:a:google:brotli:1.0.6:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/brotli@1.0.6-4.el8_10?upstream=brotli-1.0.6-4.el8_10.src.rpm"}}},{"category":"product_version","name":"brotli-devel-1.0.6-4.el8_10","product":{"name":"brotli-devel-1.0.6-4.el8_10","product_id":"brotli-devel-1.0.6-4.el8_10","product_identification_helper":{"purl":"pkg:rpm/suse/brotli-devel@1.0.6-4.el8_10"}}},{"category":"product_version","name":"python-Scrapy-doc-2.13.3-2.1","product":{"name":"python-Scrapy-doc-2.13.3-2.1","product_id":"python-Scrapy-doc-2.13.3-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python-Scrapy-doc@2.13.3-2.1"}}},{"category":"product_version","name":"python3-brotli-1.0.6-4.el8_10","product":{"name":"python3-brotli-1.0.6-4.el8_10","product_id":"python3-brotli-1.0.6-4.el8_10","product_identification_helper":{"purl":"pkg:rpm/suse/python3-brotli@1.0.6-4.el8_10"}}},{"category":"product_version","name":"python311-Brotli-1.2.0-1.1","product":{"name":"python311-Brotli-1.2.0-1.1","product_id":"python311-Brotli-1.2.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python311-Brotli@1.2.0-1.1?upstream=python-Brotli-1.2.0-1.1.src.rpm"}}},{"category":"product_version","name":"python311-Scrapy-2.13.3-2.1","product":{"name":"python311-Scrapy-2.13.3-2.1","product_id":"python311-Scrapy-2.13.3-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python311-Scrapy@2.13.3-2.1"}}},{"category":"product_version","name":"python311-py7zr-1.1.0-1.1","product":{"name":"python311-py7zr-1.1.0-1.1","product_id":"python311-py7zr-1.1.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python311-py7zr@1.1.0-1.1"}}},{"category":"product_version","name":"python312-Brotli-1.2.0-1.1","product":{"name":"python312-Brotli-1.2.0-1.1","product_id":"python312-Brotli-1.2.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-Brotli@1.2.0-1.1"}}},{"category":"product_version","name":"python312-Scrapy-2.13.3-2.1","product":{"name":"python312-Scrapy-2.13.3-2.1","product_id":"python312-Scrapy-2.13.3-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-Scrapy@2.13.3-2.1"}}},{"category":"product_version","name":"python312-py7zr-1.1.0-1.1","product":{"name":"python312-py7zr-1.1.0-1.1","product_id":"python312-py7zr-1.1.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-py7zr@1.1.0-1.1"}}},{"category":"product_version","name":"python313-Brotli-1.2.0-1.1","product":{"name":"python313-Brotli-1.2.0-1.1","product_id":"python313-Brotli-1.2.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-Brotli@1.2.0-1.1?upstream=python-Brotli-1.2.0-1.1.src.rpm"}}},{"category":"product_version","name":"python313-Scrapy-2.13.3-2.1","product":{"name":"python313-Scrapy-2.13.3-2.1","product_id":"python313-Scrapy-2.13.3-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-Scrapy@2.13.3-2.1"}}},{"category":"product_version","name":"python313-py7zr-1.1.0-1.1","product":{"name":"python313-py7zr-1.1.0-1.1","product_id":"python313-py7zr-1.1.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-py7zr@1.1.0-1.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"brotli-1.0.6-4.el8_10 as component of SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8:brotli-1.0.6-4.el8_10"},"product_reference":"brotli-1.0.6-4.el8_10","relates_to_product_reference":"SUSE Liberty Linux 8"},{"category":"default_component_of","full_product_name":{"name":"brotli-devel-1.0.6-4.el8_10 as component of SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8:brotli-devel-1.0.6-4.el8_10"},"product_reference":"brotli-devel-1.0.6-4.el8_10","relates_to_product_reference":"SUSE Liberty Linux 8"},{"category":"default_component_of","full_product_name":{"name":"python3-brotli-1.0.6-4.el8_10 as component of SUSE Liberty Linux 8","product_id":"SUSE Liberty Linux 8:python3-brotli-1.0.6-4.el8_10"},"product_reference":"python3-brotli-1.0.6-4.el8_10","relates_to_product_reference":"SUSE Liberty Linux 8"},{"category":"default_component_of","full_product_name":{"name":"python-Scrapy-doc-2.13.3-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python-Scrapy-doc-2.13.3-2.1"},"product_reference":"python-Scrapy-doc-2.13.3-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python311-Brotli-1.2.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-Brotli-1.2.0-1.1"},"product_reference":"python311-Brotli-1.2.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python311-Scrapy-2.13.3-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-Scrapy-2.13.3-2.1"},"product_reference":"python311-Scrapy-2.13.3-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python311-py7zr-1.1.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-py7zr-1.1.0-1.1"},"product_reference":"python311-py7zr-1.1.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-Brotli-1.2.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-Brotli-1.2.0-1.1"},"product_reference":"python312-Brotli-1.2.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-Scrapy-2.13.3-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-Scrapy-2.13.3-2.1"},"product_reference":"python312-Scrapy-2.13.3-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-py7zr-1.1.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-py7zr-1.1.0-1.1"},"product_reference":"python312-py7zr-1.1.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-Brotli-1.2.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-Brotli-1.2.0-1.1"},"product_reference":"python313-Brotli-1.2.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-Scrapy-2.13.3-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-Scrapy-2.13.3-2.1"},"product_reference":"python313-Scrapy-2.13.3-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-py7zr-1.1.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-py7zr-1.1.0-1.1"},"product_reference":"python313-py7zr-1.1.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2025-6176","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-6176"}],"notes":[{"category":"general","text":"Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.","title":"CVE description"}],"product_status":{"recommended":["SUSE Liberty Linux 8:brotli-1.0.6-4.el8_10","SUSE Liberty Linux 8:brotli-devel-1.0.6-4.el8_10","SUSE Liberty Linux 8:python3-brotli-1.0.6-4.el8_10","openSUSE Tumbleweed:python-Scrapy-doc-2.13.3-2.1","openSUSE Tumbleweed:python311-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python311-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python311-py7zr-1.1.0-1.1","openSUSE Tumbleweed:python312-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python312-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python312-py7zr-1.1.0-1.1","openSUSE Tumbleweed:python313-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python313-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python313-py7zr-1.1.0-1.1"]},"references":[{"category":"external","summary":"CVE-2025-6176","url":"https://www.suse.com/security/cve/CVE-2025-6176"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1252945 for CVE-2025-6176","url":"https://bugzilla.suse.com/1252945"},{"category":"external","summary":"Advisory link for RHSA-2026:2389","url":"https://lists.suse.com/pipermail/suse-liberty-linux-updates/2026-February/002492.html"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Liberty Linux 8:brotli-1.0.6-4.el8_10","SUSE Liberty Linux 8:brotli-devel-1.0.6-4.el8_10","SUSE Liberty Linux 8:python3-brotli-1.0.6-4.el8_10","openSUSE Tumbleweed:python-Scrapy-doc-2.13.3-2.1","openSUSE Tumbleweed:python311-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python311-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python311-py7zr-1.1.0-1.1","openSUSE Tumbleweed:python312-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python312-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python312-py7zr-1.1.0-1.1","openSUSE Tumbleweed:python313-Brotli-1.2.0-1.1","openSUSE Tumbleweed:python313-Scrapy-2.13.3-2.1","openSUSE Tumbleweed:python313-py7zr-1.1.0-1.1"]}],"threats":[{"category":"impact","date":"2025-10-31T01:04:09Z","details":"moderate"}],"title":"CVE-2025-6176"}]}