{"id":"RUSTSEC-2021-0132","summary":"Integer overflow in the bundled Brotli C library","details":"A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.\n\nIf one cannot update the C library, its authors recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits.","aliases":["BIT-brotli-2020-8927","BIT-dotnet-2020-8927","BIT-dotnet-sdk-2020-8927","BIT-powershell-2020-8927","CVE-2020-36846","CVE-2020-8927","GHSA-5v8v-66v8-mwm7","GO-2025-3726","PYSEC-2020-29","RUSTSEC-2021-0131"],"modified":"2025-10-28T06:02:18Z","published":"2021-12-20T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/compu-brotli-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0132.html"},{"type":"WEB","url":"https://github.com/google/brotli/releases/tag/v1.0.9"}],"affected":[{"package":{"name":"compu-brotli-sys","ecosystem":"crates.io","purl":"pkg:cargo/compu-brotli-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"1.0.9"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"categories":["memory-corruption"],"cvss":null,"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0132.json"}}],"schema_version":"1.7.3"}