PT-2025-23219 · Unknown · Io::Compress::Brotli

Robert Rothenberg

Published

2020-09-15

Updated

2025-09-04

CVE-2020-36846

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions IO::Compress::Brotli versions prior to 0.007

Description A buffer overflow exists in the embedded Brotli library. An attacker controlling the input length of a decompression request can trigger a crash when copying over chunks of data larger than 2 GiB.

Recommendations Update the IO::Compress::Brotli module to version 0.007 or later. If an update is not possible, use the streaming API instead of the one-shot API and impose chunk size limits.

Fix

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1395CWE-120

Related Identifiers

BIT-BROTLI-2020-8927

BIT-DOTNET-2020-8927

BIT-DOTNET-SDK-2020-8927

BIT-POWERSHELL-2020-8927

CVE-2020-36846

GHSA-5V8V-66V8-MWM7

GO-2025-3726

OPENSUSE-SU-2025:15225-1

PYSEC-2020-29

RUSTSEC-2021-0131

RUSTSEC-2021-0132

Affected Products

Io::Compress::Brotli

PT-2025-23219 · Unknown · Io::Compress::Brotli

CVE-2020-36846

Weakness Enumeration

Related Identifiers

Affected Products

References · 85