QwikSec

Security Database

CVE

CWE

Training

CVE-2025-6998

Published: Jul 24, 2025

Modified: Jul 25, 2025

PUBLISHED

Description

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Vendor	Product	Versions
Calibre Web	Calibre Web	affected `0.6.24`
Autocaliweb	Autocaliweb	affected `0.7.0 - < 0.7.1`

Weaknesses (CWE)

References

https://fluidattacks.com/advisories/megadeth

third-party-advisory

https://github.com/janeczku/calibre-web

product

https://github.com/gelbphoenix/autocaliweb

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.