CVE-2025-6998

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

CVSS

No CVSS.

References

Link	Resource
https://fluidattacks.com/advisories/megadeth
https://github.com/gelbphoenix/autocaliweb
https://github.com/janeczku/calibre-web

Configurations

No configuration.

History

No history.

Information

Published : 2025-07-24 20:15

Updated : 2025-07-25 15:29

NVD link : CVE-2025-6998

Mitre link : CVE-2025-6998

CVE.ORG link : CVE-2025-6998

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2025-6998", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-24T20:15:27.013", "references": [{"url": "https://fluidattacks.com/advisories/megadeth", "source": "[email protected]"}, {"url": "https://github.com/gelbphoenix/autocaliweb", "source": "[email protected]"}, {"url": "https://github.com/janeczku/calibre-web", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."}, {"lang": "es", "value": "El ReDoS en la funci\u00f3n strip_whitespaces() de cps/string_helper.py en Calibre Web y Autocaliweb permite a atacantes remotos no autenticados causar una denegaci\u00f3n de servicio mediante un par\u00e1metro de nombre de usuario especialmente manipulado que desencadena un retroceso catastr\u00f3fico durante el inicio de sesi\u00f3n. Este problema afecta a Calibre Web: 0.6.24 (Nicolette); Autocaliweb: de la versi\u00f3n 0.7.0 a la 0.7.1."}], "lastModified": "2025-07-25T15:29:19.837", "sourceIdentifier": "[email protected]"}

CVE-2025-6998

JSON object

Attach tags to CVE-2025-6998

Attach tags to `CVE-2025-6998`