Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

GHSA-rrx3-2x4g-mq2h · CVE-2025-64509

Published Nov 13, 2025 · Modified Nov 13, 2025

Description

Impact

In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service.

This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps).

Patches

Patched in Bugsink 2.0.6

References

The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink:

https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

References

WEB https://github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-64509
WEB https://github.com/bugsink/bugsink/commit/1201f754e39265d2aac58edf49dc380bac334388
PACKAGE https://github.com/bugsink/bugsink

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes