Allocation of Resources Without Limits or Throttling Affecting brotlicffi package, versions [,1.2.0.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-BROTLICFFI-14172734
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-770 (opens in a new tab)How to fix?
Upgrade brotlicffi to version 1.2.0.0 or higher.
Overview
brotlicffi is a Python CFFI bindings to the Brotli library
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing limits on decompressed output size in the Decompressor.decompress() and Decompressor.process() methods. These methods pass attacker-controlled Brotli data into dynamically growing in-memory buffers without enforcing an output_buffer_limit, allowing highly compressible payloads to inflate into extremely large outputs. An attacker can exploit this by supplying crafted Brotli payloads that cause excessive memory consumption, leading to process termination or resource exhaustion.