{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-6998", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-07-01T23:26:57.856Z", "datePublished": "2025-07-24T19:39:17.709Z", "dateUpdated": "2025-07-25T13:17:33.295Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Calibre Web", "vendor": "Calibre Web", "versions": [{"status": "affected", "version": "0.6.24", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Autocaliweb", "vendor": "Autocaliweb", "versions": [{"lessThan": "0.7.1", "status": "affected", "version": "0.7.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:calibre_web:calibre_web:0.6.24:*:linux:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:autocaliweb:autocaliweb:*:*:linux:*:*:*:*:*", "versionEndExcluding": "0.7.1", "versionStartIncluding": "0.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">ReDoS in strip_whitespaces() function in cps/string_helper.py</span> in Calibre Web and Autocaliweb allows&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.&nbsp;</span>This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."}], "value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."}], "impacts": [{"capecId": "CAPEC-492", "descriptions": [{"lang": "en", "value": "CAPEC-492 Regular Expression Exponential Blowup"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-07-25T13:17:33.295Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/megadeth"}, {"tags": ["product"], "url": "https://github.com/janeczku/calibre-web"}, {"tags": ["product"], "url": "https://github.com/gelbphoenix/autocaliweb"}], "source": {"discovery": "UNKNOWN"}, "title": "Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-24T19:50:08.633333Z", "id": "CVE-2025-6998", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T19:50:16.388Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6998", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-24T19:50:08.633333Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-24T19:50:13.054Z"}}], "cna": {"title": "Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-492", "descriptions": [{"lang": "en", "value": "CAPEC-492 Regular Expression Exponential Blowup"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Calibre Web", "product": "Calibre Web", "versions": [{"status": "affected", "version": "0.6.24", "versionType": "custom"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}, {"vendor": "Autocaliweb", "product": "Autocaliweb", "versions": [{"status": "affected", "version": "0.7.0", "lessThan": "0.7.1", "versionType": "custom"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/megadeth", "tags": ["third-party-advisory"]}, {"url": "https://github.com/janeczku/calibre-web", "tags": ["product"]}, {"url": "https://github.com/gelbphoenix/autocaliweb", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">ReDoS in strip_whitespaces() function in cps/string_helper.py</span> in Calibre Web and Autocaliweb allows&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.&nbsp;</span>This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:calibre_web:calibre_web:0.6.24:*:linux:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autocaliweb:autocaliweb:*:*:linux:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.7.1", "versionStartIncluding": "0.7.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-07-25T13:17:33.295Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6998", "state": "PUBLISHED", "dateUpdated": "2025-07-25T13:17:33.295Z", "dateReserved": "2025-07-01T23:26:57.856Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2025-07-24T19:39:17.709Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."}, {"lang": "es", "value": "El ReDoS en la funci\u00f3n strip_whitespaces() de cps/string_helper.py en Calibre Web y Autocaliweb permite a atacantes remotos no autenticados causar una denegaci\u00f3n de servicio mediante un par\u00e1metro de nombre de usuario especialmente manipulado que desencadena un retroceso catastr\u00f3fico durante el inicio de sesi\u00f3n. Este problema afecta a Calibre Web: 0.6.24 (Nicolette); Autocaliweb: de la versi\u00f3n 0.7.0 a la 0.7.1."}], "id": "CVE-2025-6998", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2025-07-24T20:15:27.013", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/advisories/megadeth"}, {"source": "help@fluidattacks.com", "url": "https://github.com/gelbphoenix/autocaliweb"}, {"source": "help@fluidattacks.com", "url": "https://github.com/janeczku/calibre-web"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}

{}

{"created": "2025-07-25T15:53:56.687070+00:00", "updated": "2025-07-25T15:53:56.687158+00:00", "vendors": ["janeczku", "janeczku$PRODUCT$calibre-web"]}