CVE-2025-6998

HIGH

Pypi Calibreweb - Denial of Service

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-6998. PoCs published by mind2hex.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-6998, a ReDoS vulnerability in CalibreWeb v0.6.24. The exploit sends a crafted payload to the login endpoint, triggering excessive regex processing time.

Description

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Exploits (1)

nomisec WORKING POC
by mind2hex · poc
https://github.com/mind2hex/CVE-2025-6998-CalibreWeb-0.6.24-ReDoS

This repository contains a functional exploit for CVE-2025-6998, a ReDoS vulnerability in CalibreWeb v0.6.24. The exploit sends a crafted payload to the login endpoint, triggering excessive regex processing time.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: CalibreWeb v0.6.24
No auth needed
Prerequisites: Network access to the CalibreWeb login endpoint
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources third-party-advisory
https://fluidattacks.com/advisories/megadeth
Various Sources product
https://github.com/janeczku/calibre-web

Scores

CVSS v4 8.7
EPSS 0.0020
EPSS Percentile 42.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-1333
Status published
Products (3)
Autocaliweb/Autocaliweb 0.7.0 - 0.7.1
Calibre Web/Calibre Web 0.6.24
pypi/calibreweb 0PyPI
Published Jul 24, 2025
Tracked Since Feb 18, 2026