{
  "schema_version": "1.4.0",
  "id": "GHSA-g8vq-v3mg-7mrg",
  "modified": "2025-03-21T15:26:55Z",
  "published": "2025-03-21T15:26:55Z",
  "aliases": [
    "CVE-2025-30160"
  ],
  "summary": "Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form",
  "details": "A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability was introduced in 2e95e1fc6e2064ccfae87964b4860bda55eddb9a and fixed in 15147cea8e42f6569a11603d661d71122f6a02dc.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis vulnerability allows a remote attacker with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. The issue arises because the system automatically decompresses user-supplied data without enforcing size limits, potentially leading to:\n\n- Out-of-memory (OOM) conditions\n- OS-level resource exhaustion, potentially leading to broader system instability or crashes\n- Repeated exploitation, keeping the target system in a persistent degraded state\n- Denial-of-service of any public instance\n\n### Patches\nThe problem has been patched in 15147cea8e42f6569a11603d661d71122f6a02dc. Users should upgrade to v0.36.0.\n\n### Workarounds\nUntil a patch is available, users can:\n\n- Implement request size limits at the web server or application level to reject excessively large inputs.\n- Disable or restrict the restore_preferences route (`/settings/encoded-restore`) at the reverse-proxy level if not required.\n- Monitor server logs for unusually large or repeated restore_preferences requests and block offending IPs.",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "redlib"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redlib-org/redlib/security/advisories/GHSA-g8vq-v3mg-7mrg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redlib-org/redlib/commit/15147cea8e42f6569a11603d661d71122f6a02dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redlib-org/redlib/commit/2e95e1fc6e2064ccfae87964b4860bda55eddb9a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/redlib-org/redlib"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:26:55Z",
    "nvd_published_at": "2025-03-20T19:15:38Z"
  }
}