CVE-2025-64509: Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

November 13, 2025

In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service.

This can be done if the DSN is known, which it is in many common setups (JavaScript, Mobile Apps).

References

github.com/advisories/GHSA-rrx3-2x4g-mq2h
github.com/bugsink/bugsink
github.com/bugsink/bugsink/commit/1201f754e39265d2aac58edf49dc380bac334388
github.com/bugsink/bugsink/security/advisories/GHSA-rrx3-2x4g-mq2h
nvd.nist.gov/vuln/detail/CVE-2025-64509

Code Behaviors & Features

Detect and mitigate CVE-2025-64509 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →