Denial of Service Vulnerability in Bugsink Error Tracking Tool
CVE-2025-64508

7.5HIGH

Key Information:

Vendor

Bugsink

Status
Bugsink
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64508?

Bugsink, a self-hosted error tracking tool, contains a vulnerability that allows attackers to exploit highly compressed brotli streams, potentially leading to Denial of Service. By sending specifically crafted brotli 'bombs' to the server, which attempts to decompress them, memory resources can be exhausted. This issue arises in setups where the Data Source Name (DSN) is exposed, common in various applications like JavaScript or Mobile Apps, making it crucial for administrators to upgrade to Bugsink version 2.0.5 or later. The vulnerability resembles another brotli-related issue in Bugsink (GHSA-rrx3-2x4g-mq2h) but is distinct in execution and impact.

Affected Version(s)

bugsink < 2.0.5

References

https://github.com/bugsink/bugsink/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/google/brotli/issues/1327
x_refsource_MISC
https://github.com/google/brotli/issues/1375
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64508 : Denial of Service Vulnerability in Bugsink Error Tracking Tool