CVE: CVE-2023-3782 CVSS Score: 5.9 JFrog Severity: Medium Vulnerability: Summary: The OkHttp client is vulnerable to a Denial of Service (DoS) attack when using a BrotliInterceptor and browsing to a malicious web server, or when an attacker can perform a MitM attack to inject a Brotli zip-bomb into an HTTP response. Component: com.squareup.okhttp3:okhttp-brotli Affected Versions: Not specified Description: A DoS issue exists in the function. If the user adds as an interceptor and does not add content encoding, the Okhttp client will add the for Brotli encoding and will automatically try to decompress responses. The code does not guard against decompression bombs, which could crash the process due to memory exhaustion. A few bytes (e.g., 5) can cause several MB to be decompressed into 100GB. Vulnerability Mitigations: Remove any usage of the class. If Brotli functionality is needed, a fixed version of the class can be found here. References: Issue on GitHub: https://github.com/square/okhttp/issues/7738