Description
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Published: 2026-05-13
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in urllib3 allows the library to decompress the entire response instead of just the requested portion during certain streaming API calls when Brotli or other compression is used. This causes the client to fully decode a small amount of highly compressed data in a single operation, leading to excessive CPU usage and large memory consumption. The direct impact is a denial‑of‑service condition on the client, potentially bringing an application or system to unresponsiveness when confronted with maliciously compressed input.

Affected Systems

Python applications that depend on the urllib3 library, specifically versions from 2.6.0 up to but not including 2.7.0, are affected. The issue applies to any environment where urllib3 processes HTTP responses that may be compressed, such as web clients, API consumers, or any service built on top of urllib3.

Risk and Exploitability

The CVSS score is 8.9, indicating high severity. No EPSS score is available, and the vulnerability is not listed as a known exploited vulnerability in the CISA catalog. Attackers can trigger the flaw by sending a specially crafted compressed HTTP response to any client using an affected urllib3 version. Because the exception is triggered during normal decompression operations, the attacker need only communicate with the vulnerable client over HTTP/HTTPS, making the attack vector external and transport‑layer based. The impact is limited to the victim’s system, but overall application availability can be severely disrupted.

Generated by OpenCVE AI on May 13, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade urllib3 to version 2.7.0 or later to apply the official fix.
  • If an upgrade cannot be made immediately, configure the application to disable automatic decompression or postpone decompression until after validating the compressed data size.
  • Implement application‑level checks that limit the size of decompressed data before it is processed to prevent resource exhaustion.

Generated by OpenCVE AI on May 13, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mf9v-mfxr-j63j urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
History

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python urllib3
CPEs cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
Vendors & Products Python
Python urllib3
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 13 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Urllib3
Urllib3 urllib3
Vendors & Products Urllib3
Urllib3 urllib3

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Title urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
Weaknesses CWE-409
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Python Urllib3
Urllib3 Urllib3
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T15:17:12.611Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:57.303

Modified: 2026-05-14T13:49:25.483

Link: CVE-2026-44432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:45:36Z

Weaknesses