CVE-2025-30160

CVE-2025-30160 affects Redlib, an alternative private front-end to Reddit. The vulnerability enables an attacker to trigger a denial-of-service (DoS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This results in excessive memory consumption and potential system instability, disrupting Redlib instances. It is associated with CWEs-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is fixed in Redlib version 0.36.0.

Any unauthenticated remote attacker can exploit this vulnerability with low attack complexity and no user interaction required. By sending the malicious payload to the restore_preferences form, the attacker causes the decompression process to consume excessive resources, leading to DoS on the targeted Redlib instance without affecting confidentiality or integrity.

Mitigation is available through upgrading to Redlib 0.36.0 or later, as detailed in the GitHub security advisory GHSA-g8vq-v3mg-7mrg and the fixing commits 15147cea8e42f6569a11603d661d71122f6a02dc and 2e95e1fc6e2064ccfae87964b4860bda55eddb9a. Security practitioners should review these resources for implementation details and verify deployments prior to version 0.36.0.