Description

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.5, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of Service. This can be done if the `DSN` is known, which it is in many common setups (JavaScript, Mobile Apps). The issue is patched in Bugsink version `2.0.5`. The vulnerability is similar to, but distinct from, another brotli-related problem in Bugsink, GHSA-rrx3-2x4g-mq2h/CVE-2025-64509.

INFO

Published Date :

2025-11-10T21:44:24.832Z

Last Modified :

2025-11-12T20:14:15.890Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64508 vulnerability.

Vendors Products
Bugsink
  • Bugsink
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64508.

URL Resource
https://github.com/bugsink/bugsink/commit/3f65544aab3ad5303d97009136640de97b0676a5 cve-icon cve-icon
https://github.com/bugsink/bugsink/pull/266 cve-icon cve-icon
https://github.com/bugsink/bugsink/security/advisories/GHSA-fc2v-vcwj-269v cve-icon cve-icon
https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627 cve-icon cve-icon
https://github.com/google/brotli/issues/1327 cve-icon cve-icon
https://github.com/google/brotli/issues/1375 cve-icon cve-icon
https://github.com/google/brotli/pull/1234 cve-icon cve-icon
https://github.com/google/brotli/releases/tag/v1.2.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact