CVE-2025-6998: Calibre Web and Autocaliweb have a ReDoS vulnerability

July 24, 2025 (updated November 10, 2025)

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

References

fluidattacks.com/advisories/megadeth
github.com/advisories/GHSA-2g7m-ph9x-7q7m
github.com/gelbphoenix/autocaliweb
github.com/janeczku/calibre-web
nvd.nist.gov/vuln/detail/CVE-2025-6998

Code Behaviors & Features

Detect and mitigate CVE-2025-6998 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →