Security implications of 1.2.0 unclear #560

Open
opened 2026-01-29 20:45:49 +00:00 by claunia · 2 comments
Owner

Originally created by @vanschelven on GitHub (Nov 7, 2025).

The most recent version of Brotli has this ALL CAPS note in the changelog:

## [1.2.0] - 2025-10-27

### SECURITY
 - python: added `Decompressor::can_accept_more_data` method and optional
           `output_buffer_limit` argument `Decompressor::process`;
           that allows mitigation of unexpectedly large output;
           reported by Charles Chan (https://github.com/charleswhchan)

It seems from these notes that a user of the Python brotli package would actually need to change their usage (as well as update) but how is not made abundantly clear.

Side note: my git archeology is being hampered by the fact that this note seems to predate the actual release by almost a year. In similar vein: their seems to be a gap between 2025-10-27 and the moment this actually made it to PyPI

Originally created by @vanschelven on GitHub (Nov 7, 2025). The most recent version of Brotli has this ALL CAPS note in the changelog: ``` ## [1.2.0] - 2025-10-27 ### SECURITY - python: added `Decompressor::can_accept_more_data` method and optional `output_buffer_limit` argument `Decompressor::process`; that allows mitigation of unexpectedly large output; reported by Charles Chan (https://github.com/charleswhchan) ``` It _seems_ from these notes that a user of the Python brotli package would actually need to change their usage (as well as update) but how is not made abundantly clear. Side note: my git archeology is being hampered by the fact that this note seems to predate the actual release by almost a year. In similar vein: their seems to be a gap between 2025-10-27 and the moment this actually made it to PyPI
Author
Owner
@vanschelven commented on GitHub (Nov 7, 2025): * https://cvefeed.io/vuln/detail/CVE-2025-6176 * https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0 * https://github.com/scrapy/scrapy/pull/7134
Author
Owner

@vanschelven commented on GitHub (Nov 8, 2025):

I figured it out as per the above commits

@vanschelven commented on GitHub (Nov 8, 2025): I figured it out as per the above commits
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/brotli#560