Fix CVE-2025-6176 vulnerability #556

Closed
opened 2026-01-29 20:45:45 +00:00 by claunia · 5 comments
Owner

Originally created by @marek-elisity on GitHub (Nov 1, 2025).

Hello, is it planned to fix this vulnerability: CVE-2025-617?

Originally created by @marek-elisity on GitHub (Nov 1, 2025). Hello, is it planned to fix this vulnerability: CVE-2025-617?
Author
Owner

@danjac commented on GitHub (Nov 2, 2025):

It appears to be fixed in 1.2.0, but this is still pending deployment to PyPi.

@danjac commented on GitHub (Nov 2, 2025): It appears to be fixed in 1.2.0, but this is [still pending](https://github.com/google/brotli/issues/1327#issuecomment-3475047185) deployment to PyPi.
Author
Owner

@xjw00654 commented on GitHub (Nov 2, 2025):

I just built the wheel for py 3.10 using the command below from gpt using the gh action file as the context...

pip install -U pip cibuildwheel

export PACKAGE_DIR=src/brotli
export CIBW_BUILD="cp310-*"
export CIBW_ARCHS="x86_64"
export CIBW_MANYLINUX_X86_64_IMAGE="manylinux2014"

python -m cibuildwheel --platform linux --output-dir wheelhouse "$PACKAGE_DIR"

hope these file could help:
brotli-1.2.0-cp310-cp310____wheel-packages.zip

BTW, I am not 100% sure the wheel package is configurated & built correctly (even it works fine in my case), please double check before deploying it into any prod env.

@xjw00654 commented on GitHub (Nov 2, 2025): I just built the wheel for py 3.10 using the command below from gpt using the gh action file as the context... ``` pip install -U pip cibuildwheel export PACKAGE_DIR=src/brotli export CIBW_BUILD="cp310-*" export CIBW_ARCHS="x86_64" export CIBW_MANYLINUX_X86_64_IMAGE="manylinux2014" python -m cibuildwheel --platform linux --output-dir wheelhouse "$PACKAGE_DIR" ``` hope these file could help: [brotli-1.2.0-cp310-cp310____wheel-packages.zip](https://github.com/user-attachments/files/23291317/brotli-1.2.0-cp310-cp310____wheel-packages.zip) BTW, I am not 100% sure the wheel package is configurated & built correctly (even it works fine in my case), please double check before deploying it into any prod env.
Author
Owner

@gsmethells commented on GitHub (Nov 3, 2025):

I see " google_opensource" listed as a maintainer on the PyPi.org page but who do we contact for that @google-admin ?

@gsmethells commented on GitHub (Nov 3, 2025): I see " google_opensource" listed as a maintainer on the [PyPi.org page](https://pypi.org/project/Brotli/) but who do we contact for that @google-admin ?
Author
Owner

@Cycloctane commented on GitHub (Nov 6, 2025):

Technically this cve is not for brotli. (See my original security report) Simply upgrading brotli version to v1.2.0 does not fix anything.
To prevent similar DoS vulnerability if application needs to handle compressed data from user inputs, also adjust your codes and make use of output_buffer_limit to limit the data size in every decompress operation.

@Cycloctane commented on GitHub (Nov 6, 2025): Technically this cve is not for brotli. (See [my original security report](https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0)) Simply upgrading brotli version to v1.2.0 does not fix anything. To prevent similar DoS vulnerability if application needs to handle compressed data from user inputs, also adjust your codes and make use of `output_buffer_limit` to limit the data size in every decompress operation.
Author
Owner

@eustas commented on GitHub (Nov 7, 2025):

PyPI package uploaded.

@eustas commented on GitHub (Nov 7, 2025): PyPI package uploaded.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/brotli#556