ReDoS in stripwhitespaces() function in cps/stringhelper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
{ "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2025-07-28T14:53:43Z", "cwe_ids": [ "CWE-1333" ], "nvd_published_at": "2025-07-24T20:15:27Z" }