CVE-2025-6998

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

CVSS

No CVSS.

References

Link	Resource
https://fluidattacks.com/advisories/megadeth
https://github.com/gelbphoenix/autocaliweb
https://github.com/janeczku/calibre-web

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El ReDoS en la función strip_whitespaces() de cps/string_helper.py en Calibre Web y Autocaliweb permite a atacantes remotos no autenticados causar una denegación de servicio mediante un parámetro de nombre de usuario especialmente manipulado que desencadena un retroceso catastrófico durante el inicio de sesión. Este problema afecta a Calibre Web: 0.6.24 (Nicolette); Autocaliweb: de la versión 0.7.0 a la 0.7.1.

25 Jul 2025, 14:15

Type	Values Removed	Values Added
Summary	(en) ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.This issue affects Calibre Web: 0.6.24; Autocaliweb: from 0.7.0 before 0.7.1.	(en) ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

25 Jul 2025, 13:15

Type	Values Removed	Values Added
Summary	(en) ReDoS in strip_whitespaces() function in cps/string_helper.py in janeczku Calibre Web 0.6.24 (Nicolette) allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. ReDoS in strip_whitespaces() function in cps/string_helper.py in gelbphoenix Autocaliweb 0.7.0 on allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.	(en) ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.This issue affects Calibre Web: 0.6.24; Autocaliweb: from 0.7.0 before 0.7.1.

24 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-24 20:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-6998

Mitre link : CVE-2025-6998

CVE.ORG link : CVE-2025-6998

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

JSON object

Attach tags to CVE-2025-6998

Attach tags to `CVE-2025-6998`