Cyber Resilience

CVE-2025-30160

Published: 20 March 2025

Published
20 March 2025
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 70.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30160 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Redlib Redlib. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-30160 affects Redlib, an alternative private front-end to Reddit. The vulnerability enables an attacker to trigger a denial-of-service (DoS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This results in excessive memory consumption and potential system instability, disrupting Redlib instances. It is associated with CWEs-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is fixed in Redlib version 0.36.0.

Any unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction required. By sending the malicious payload to the restore_preferences form, the attacker causes the decompression process to consume excessive resources, leading to DoS on the targeted Redlib instance without affecting confidentiality or integrity.

Mitigation is available through upgrading to Redlib 0.36.0 or later, as detailed in the GitHub security advisory GHSA-g8vq-v3mg-7mrg and the fixing commits 15147cea8e42f6569a11603d661d71122f6a02dc and 2e95e1fc6e2064ccfae87964b4860bda55eddb9a. Security practitioners should review these resources for implementation details and verify deployments prior to version 0.36.0.

EU & UK References

Vulnerability details

Redlib is an alternative private front-end to Reddit. A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to…

more

excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability is fixed in 0.36.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The vulnerability directly enables an application exhaustion flood DoS by allowing remote submission of a decompression bomb to the restore_preferences form, causing excessive memory consumption as described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56940Shared CWE-400
CVE-2026-26937Shared CWE-400
CVE-2025-2586Shared CWE-400
CVE-2024-45626Shared CWE-400
CVE-2026-4726Shared CWE-400
CVE-2026-36958Shared CWE-400
CVE-2023-51316Shared CWE-400
CVE-2025-52636Shared CWE-400
CVE-2025-21545Shared CWE-400
CVE-2026-6780Shared CWE-400

Affected Assets

redlib
redlib
≤ 0.36.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements denial-of-service protections that directly counter resource exhaustion attacks like the DEFLATE decompression bomb targeting Redlib's restore_preferences form.

prevent

Requires validation of untrusted inputs such as the specially crafted base2048-encoded data to prevent processing decompression bombs leading to excessive memory use.

prevent

Enforces restrictions on input size, format, and type for the restore_preferences form to block oversized or malicious payloads causing uncontrolled resource consumption.

References