Source: python-urllib3 X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerability was published for python-urllib3. CVE-2026-21441[0]: | urllib3 is an HTTP client library for Python. urllib3's streaming | API is designed for the efficient handling of large HTTP responses | by reading the content in chunks, rather than loading the entire | response body into memory at once. urllib3 can perform decoding or | decompression based on the HTTP `Content-Encoding` header (e.g., | `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, | the library decompresses only the necessary bytes, enabling partial | content consumption. Starting in version 1.22 and prior to version | 2.6.3, for HTTP redirect responses, the library would read the | entire response body to drain the connection and decompress the | content unnecessarily. This decompression occurred even before any | read methods were called, and configured read limits did not | restrict the amount of decompressed data. As a result, there was no | safeguard against decompression bombs. A malicious server could | exploit this to trigger excessive resource consumption on the | client. Applications and libraries are affected when they stream | content from untrusted sources by setting `preload_content=False` | when they do not disable redirects. Users should upgrade to at least | urllib3 v2.6.3, in which the library does not decode content of | redirect responses when `preload_content=False`. If upgrading is not | immediately possible, disable redirects by setting `redirect=False` | for requests to untrusted source. https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99 https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b (2.6.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21441 https://www.cve.org/CVERecord?id=CVE-2026-21441 Please adjust the affected versions in the BTS as needed.
