7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64509

GHSA ID

GHSA-rrx3-2x4g-mq2h

EPSS Score

0.11735%

CWE

CWE-770

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64509

CVE-2025-64509: Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Impact

In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service.

This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps).

Patches

Patched in Bugsink 2.0.6

References

The vulnerability in this security advisory is similar to, but distinct from, another brotli-related problem in Bugsink:

https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64509

CVE-2025-64509:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64509

GHSA ID

GHSA-rrx3-2x4g-mq2h

EPSS Score

0.11735%

CWE

CWE-770

Published

11/13/2025

Updated

11/13/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bugsink	pip	< 2.0.6	2.0.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a denial-of-service in the Brotli decompression process in bugsink. The analysis of the provided patch commit 1201f754e39265d2aac58edf49dc380bac334388 points directly to the brotli_generator function in bugsink/streams.py as the source of the vulnerability. The patch modifies this function to add checks that prevent an infinite loop during decompression. A malicious actor could send a crafted Brotli-compressed payload that would cause the original code to loop indefinitely, consuming CPU resources and making the service unresponsive. The vulnerable function, brotli_generator, would be visible in a runtime profile during an exploit, as it would be stuck in a tight loop. The fix involves adding assertions to ensure that the decompressor is always making progress, either by producing data or by reaching a finished state.

Vulnerable functions

brotli_generator

bugsink/streams.py

The vulnerability lies in the `brotli_generator` function, which is responsible for decompressing Brotli-encoded data. The original implementation had a `while` loop that could become an infinite loop if a specially crafted Brotli input was provided. The loop condition `while not (decompressor.is_finished() and input_is_finished)` could remain true indefinitely if the decompressor neither finished nor produced output, causing excessive CPU usage and a denial of service. The patch introduces assertions to ensure that the decompression process always makes progress, either by producing output or by finishing, thus preventing the infinite loop.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64509: Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Impact

Patches

References

CVE-2025-64509:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-64509: Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Impact

Patches

References

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI