CVE-2025-64509 — Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (vi

Description

### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service. This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps). ### Patches Patched in Bugsink 2.0.6 ### References The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink: https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

How to fix CVE-2025-64509

To remediate CVE-2025-64509, upgrade the affected package to a fixed version below.

—upgrade to 2.0.6 or later

Is CVE-2025-64509 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-64509
PATCHgithub.com/bugsink/bugsink
WEBgithub.com/bugsink/bugsink/commit/1201f754e39265d2aac58edf49dc380bac334388
WEBgithub.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h