Buffer Overflow in IO::Compress::Brotli Affects Perl Module
CVE-2020-36846

9.8CRITICAL

Key Information:

Vendor: Timlegge
Status: Io::compress::brotli
Vendor: CVE Published:; 30 May 2025

What is CVE-2020-36846?

A vulnerability exists in the embedded Brotli library within IO::Compress::Brotli prior to version 0.007. By exploiting this issue, an attacker can control the input length of a single decompression request, potentially leading to a crash when attempting to copy chunks of data exceeding 2 GiB. Users are advised to upgrade to the latest module version or, if an upgrade isn’t feasible, utilize the 'streaming' API instead of the 'one-shot' API while enforcing chunk size limits to mitigate risks.

Affected Version(s)

IO::Compress::Brotli 0 < 0.007

References

https://github.com/google/brotli/pull/826

issue-tracking

https://github.com/advisories/GHSA-5v8v-66v8-mwm7

third-party-advisory

https://github.com/timlegge/perl-IO-Compress-Brotli/blob/...

mitigation

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025

Timlegge

What is CVE-2020-36846?

Affected Version(s)

References

CVSS V3.1

Timeline