CVE-2025-6998

HIGH

Pypi Calibreweb - Denial of Service

Title source: rule

Description

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

Exploits (1)

nomisec WORKING POC

by mind2hex · poc

https://github.com/mind2hex/CVE-2025-6998-CalibreWeb-0.6.24-ReDoS

View Code ZIP pw:eip

References (3)

[Various Sources] https://fluidattacks.com/advisories/megadeth

[Various Sources] https://github.com/gelbphoenix/autocaliweb

[Various Sources] https://github.com/janeczku/calibre-web

Scores

CVSS v4 8.7

EPSS 0.0008

EPSS Percentile 23.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-1333

Status published

Products (3)

Autocaliweb/Autocaliweb 0.7.0 - 0.7.1

Calibre Web/Calibre Web 0.6.24

pypi/calibreweb 0PyPI

Published Jul 24, 2025

Tracked Since Feb 18, 2026