CVE-2020-36846
MEDIUM6.5EPSS 0.54%Buffer overflow in Brotli library
Published: 5/24/2022Modified: 9/4/2025
Also known as:GHSA-5v8v-66v8-mwm7BIT-brotli-2020-8927BIT-dotnet-2020-8927BIT-dotnet-sdk-2020-8927BIT-powershell-2020-8927CGA-wwxx-79x9-pxv3GO-2025-3726PYSEC-2020-29RUSTSEC-2021-0131RUSTSEC-2021-0132
Description
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
Affected packages (126)
- Bitnami/brotlifrom 0, < 1.0.8
- Bitnami/dotnet>= 5.0.0, < 5.0.15
- Bitnami/dotnet-sdk>= 5.0.0, < 5.0.15
- Bitnami/powershell>= 7.0.0, < 7.0.9, >= 7.1.0, < 7.1.6, >= 7.2.0, < 7.2.2
- crates.io/brotli-sys>= 0.0.0-0
- crates.io/compu-brotli-sysfrom 0, < 1.0.9
- crates.io/compu-brotli-sys>= 0.0.0-0, < 1.0.9
- Go/github.com/google/brotlifrom 0
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.browser-wasm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-arm>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-arm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.linux-musl-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.linux-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-arm>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.osx-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.osx-x64>= 5.0.0, < 5.0.15
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.win-x64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.Mono.win-x86>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.osx-arm64>= 6.0.0, < 6.0.3
- NuGet/Microsoft.NETCore.App.Runtime.osx-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-arm>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-arm64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-x64>= 3.0.0, < 3.1.23
- NuGet/Microsoft.NETCore.App.Runtime.win-x86>= 3.0.0, < 3.1.23
- PyPI/brotlifrom 0, < 1.0.8
- PyPI/brotlifrom 0, < 1.0.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
References (45)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-36846
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-8927
- PATCHhttps://crates.io/crates/brotli-sys
- PATCHhttps://crates.io/crates/compu-brotli-sys
- PATCHhttps://github.com/bitemyapp/brotli2-rs
- PATCHhttps://github.com/google/brotli/pull/826
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html
- WEBhttps://github.com/advisories/GHSA-5v8v-66v8-mwm7
- WEBhttps://github.com/bitemyapp/brotli2-rs/issues/45
- WEBhttps://github.com/github/advisory-database/issues/785
- WEBhttps://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
- WEBhttps://github.com/google/brotli/releases/tag/v1.0.8
- WEBhttps://github.com/google/brotli/releases/tag/v1.0.9
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/brotli/PYSEC-2020-29.yaml
- WEBhttps://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
- WEBhttps://lists.debian.org/debian-lts-announce/2020/12/msg00003.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/356JOYTWW4BWSZ42SEFLV7NYHL3S3AEH/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JF
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/J4E265WKWKYMK2RYYSIXBEGZTDY5IQE6/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/M4VCDOJGL6BK3HB4XRD2WETBPYX2ITF6/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MMBKACMLSRX7JJSKBTR35UOEP2WFR6QP/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/W23CUADGMVMQQNFKHPHXVP7RPZJZNN6I/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WW62OZEY2GHJL4JCOLJRBSRETXDHMWRK/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRG
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0131.html
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0132.html
- WEBhttps://usn.ubuntu.com/4568-1
- WEBhttps://usn.ubuntu.com/4568-1/
- WEBhttps://www.debian.org/security/2020/dsa-4801