CVE-2025-6176

DOCUMENTATION: Scrapy are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression. 

            STATEMENT: This vulnerability is rated Important for Red Hat products. The flaw in Scrapy's brotli decompression implementation allows remote attackers to trigger a denial of service by sending specially crafted brotli-compressed data. This can lead to excessive memory consumption and system instability in affected Red Hat products that process untrusted brotli content, including Red Hat Ansible Automation Platform, OpenShift Container Platform, Red Hat Enterprise Linux, Red Hat In-Vehicle OS, and Red Hat Satellite.

            MITIGATION: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.