CVE-2025-30160
Published: 20 March 2025
Summary
CVE-2025-30160 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Redlib Redlib. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30160 affects Redlib, an alternative private front-end to Reddit. The vulnerability enables an attacker to trigger a denial-of-service (DoS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This results in excessive memory consumption and potential system instability, disrupting Redlib instances. It is associated with CWEs-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is fixed in Redlib version 0.36.0.
Any unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction required. By sending the malicious payload to the restore_preferences form, the attacker causes the decompression process to consume excessive resources, leading to DoS on the targeted Redlib instance without affecting confidentiality or integrity.
Mitigation is available through upgrading to Redlib 0.36.0 or later, as detailed in the GitHub security advisory GHSA-g8vq-v3mg-7mrg and the fixing commits 15147cea8e42f6569a11603d661d71122f6a02dc and 2e95e1fc6e2064ccfae87964b4860bda55eddb9a. Security practitioners should review these resources for implementation details and verify deployments prior to version 0.36.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7180
Vulnerability details
Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to…
more
excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables an application exhaustion flood DoS by allowing remote submission of a decompression bomb to the restore_preferences form, causing excessive memory consumption as described in the CVE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements denial-of-service protections that directly counter resource exhaustion attacks like the DEFLATE decompression bomb targeting Redlib's restore_preferences form.
Requires validation of untrusted inputs such as the specially crafted base2048-encoded data to prevent processing decompression bombs leading to excessive memory use.
Enforces restrictions on input size, format, and type for the restore_preferences form to block oversized or malicious payloads causing uncontrolled resource consumption.