{"id":"RUSTSEC-2021-0131","summary":"Integer overflow in the bundled Brotli C library","details":"A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB.\n\nAn updated version of `brotli-sys` has not been released. If one cannot update the C library, its authors recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits.\n\nIn Rust the issue can be mitigated by migrating to the `brotli` crate, which provides a Rust implementation of Brotli compression and decompression that is not affected by this issue.","aliases":["BIT-brotli-2020-8927","BIT-dotnet-2020-8927","BIT-dotnet-sdk-2020-8927","BIT-powershell-2020-8927","CVE-2020-36846","CVE-2020-8927","GHSA-5v8v-66v8-mwm7","GO-2025-3726","PYSEC-2020-29","RUSTSEC-2021-0132"],"modified":"2025-09-04T18:27:28.943295Z","published":"2021-12-20T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/brotli-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0131.html"},{"type":"REPORT","url":"https://github.com/bitemyapp/brotli2-rs/issues/45"},{"type":"WEB","url":"https://github.com/google/brotli/releases/tag/v1.0.9"}],"affected":[{"package":{"name":"brotli-sys","ecosystem":"crates.io","purl":"pkg:cargo/brotli-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"categories":["memory-corruption"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0131.json","cvss":null,"informational":null}}],"schema_version":"1.7.3"}