**CVE:** CVE-2023-3782 **CVSS Score:** 5.9 **JFrog Severity:** Medium **Vulnerability:** - **Summary:** The OkHttp client is vulnerable to a Denial of Service (DoS) attack when using a BrotliInterceptor and browsing to a malicious web server, or when an attacker can perform a Man-in-the-Middle (MitM) attack to inject a Brotli zip-bomb into an HTTP response. **Component:** - com.squareup.okhttp3:okhttp-brotli **Affected Versions:** - Not specified **Description:** - A DoS issue exists in the `intercept()` function. If the user adds `BrotliInterceptor` as an interceptor and does not add content encoding, the OkHttp client will add the `http header` for Brotli encoding and will automatically try to decompress responses. The code does not guard against decompression bombs, which could crash the process due to memory exhaustion. A few bytes (e.g., 5) can cause several MB to be decompressed into 100GB. **Vulnerability Mitigations:** - Remove any usage of the `BrotliInterceptor` class. If Brotli functionality is needed, a fixed version of the class can be found [here](#). **References:** - Issue on GitHub: [https://github.com/square/okhttp/issues/7738](https://github.com/square/okhttp/issues/7738)