QwikSec

Security Database

CVE

CWE

Training

CVE-2025-64508

Published: Nov 10, 2025

Modified: Nov 12, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509.

Vendor	Product	Versions
bugsink	bugsink	affected `< 2.0.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

x_refsource_CONFIRM

https://github.com/google/brotli/issues/1327

x_refsource_MISC

https://github.com/google/brotli/issues/1375

x_refsource_MISC

https://github.com/bugsink/bugsink/pull/266

x_refsource_MISC

https://github.com/google/brotli/pull/1234

x_refsource_MISC

https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5

x_refsource_MISC

https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627

x_refsource_MISC

https://github.com/google/brotli/releases/tag/v1.2.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.