CVE-2020-36846
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library
A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
Reserved 2025-05-28 | Published 2025-05-30 | Updated 2025-05-30 | Assigner CPANSecCWE-1395 Dependency on Vulnerable Third-Party Component
Robert Rothenberg (RRWO)
github.com/google/brotli/pull/826
github.com/advisories/GHSA-5v8v-66v8-mwm7
github.com/...44c83b23bb4658179e1494af4b725a1bc476bc/Changes
nvd.nist.gov/vuln/detail/CVE-2020-8927
github.com/...ommit/223d80cfbec8fd346e32906c732c8ede21f0cea6
Support options
