Buffer Overflow in IO::Compress::Brotli Affects Perl Module
CVE-2020-36846

9.8CRITICAL

Key Information:

Vendor

Timlegge

Status
Io::compress::brotli
Vendor
CVE Published:
30 May 2025

What is CVE-2020-36846?

A vulnerability exists in the embedded Brotli library within IO::Compress::Brotli prior to version 0.007. By exploiting this issue, an attacker can control the input length of a single decompression request, potentially leading to a crash when attempting to copy chunks of data exceeding 2 GiB. Users are advised to upgrade to the latest module version or, if an upgrade isn’t feasible, utilize the 'streaming' API instead of the 'one-shot' API while enforcing chunk size limits to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

IO::Compress::Brotli 0 < 0.007

References

https://github.com/google/brotli/pull/826
issue-tracking
https://github.com/advisories/GHSA-5v8v-66v8-mwm7
third-party-advisory
https://github.com/timlegge/perl-IO-Compress-Brotli/blob/...
mitigation

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.