Description
A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
References (5)
Core 5
Core References
Various Sources third-party-advisory
https://github.com/advisories/GHSA-5v8v-66v8-mwm7
Various Sources mitigation
https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
Various Sources vdb-entry
https://nvd.nist.gov/vuln/detail/CVE-2020-8927
Issue Tracking issue-tracking
https://github.com/google/brotli/pull/826
Scores
CVSS v3
9.8
EPSS
0.0053
EPSS Percentile
41.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1395
Status
published
Products (1)
TIMLEGGE/IO::Compress::Brotli
< 0.007
Published
May 30, 2025
Tracked Since
Feb 18, 2026