{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/urllib3--2.6.0--2.7.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["urllib3 (\u003e= 2.6.0, \u003c 2.7.0)"],"_cs_severities":["medium"],"_cs_tags":["decompression-bomb","denial-of-service","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Python Packaging Index (PyPI)"],"content_html":"\u003cp\u003eUrllib3\u0026rsquo;s streaming API, designed for efficient handling of large HTTP responses by reading content in chunks, contains a vulnerability in versions prior to 2.7.0. When decompressing content based on the HTTP \u003ccode\u003eContent-Encoding\u003c/code\u003e header (\u003ccode\u003egzip\u003c/code\u003e, \u003ccode\u003edeflate\u003c/code\u003e, \u003ccode\u003ebr\u003c/code\u003e, or \u003ccode\u003ezstd\u003c/code\u003e), the library could decompress the entire response instead of the requested portion in specific cases: when using the Brotli library during the second \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e call, or when \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e was called after the response was partially read and decompressed. This can lead to excessive resource consumption (high CPU usage and memory allocation) on the client side, creating a denial-of-service condition. The vulnerability affects applications streaming compressed responses from untrusted sources. This issue is tracked as CVE-2026-44432.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious server with a compressed response (e.g., using Brotli compression) designed to trigger a decompression bomb.\u003c/li\u003e\n\u003cli\u003eA vulnerable application using urllib3 initiates a request to the attacker\u0026rsquo;s server via HTTP.\u003c/li\u003e\n\u003cli\u003eThe server responds with a small, highly compressed payload and a \u003ccode\u003eContent-Encoding\u003c/code\u003e header indicating the compression type (e.g., \u003ccode\u003ebr\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application uses urllib3\u0026rsquo;s streaming API to read the response body in chunks with \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf using Brotli, and the application calls \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e a second time, urllib3 attempts to decompress the \u003cem\u003eentire\u003c/em\u003e response body, regardless of how much data was requested.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application calls \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e after partially decompressing the response, urllib3 will attempt to decompress the rest of the payload.\u003c/li\u003e\n\u003cli\u003eThe large amount of data resulting from the decompression bomb consumes excessive CPU and memory resources on the client.\u003c/li\u003e\n\u003cli\u003eThe client application becomes unresponsive, potentially leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on the client side. Applications using affected versions of urllib3 (\u0026gt;= 2.6.0, \u0026lt; 2.7.0) that process compressed data from untrusted sources are vulnerable. The primary damage is excessive CPU and memory consumption, which can render the application unusable. While the exact number of victims is unknown, any application relying on urllib3 for handling compressed HTTP responses is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to urllib3 version 2.7.0 or later to remediate CVE-2026-44432 as noted in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible and the Brotli library is being used, consider switching from the \u003ccode\u003ebrotli\u003c/code\u003e package to \u003ccode\u003ebrotlicffi\u003c/code\u003e as a temporary workaround, as described in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview your code for explicit calls to \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e and replace them with \u003ccode\u003eHTTPResponse.close()\u003c/code\u003e if connection reuse is not required, as recommended in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:53:45Z","date_published":"2026-05-11T14:53:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/","summary":"Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).","title":"Urllib3 Decompression Bomb Vulnerability in Streaming API (CVE-2026-44432)","url":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/"}],"language":"en","title":"CraftedSignal Threat Feed — Urllib3 (\u003e= 2.6.0, \u003c 2.7.0)","version":"https://jsonfeed.org/version/1.1"}