Decompression-Bomb

Klever-Go's MultiDataInterceptor is vulnerable to a remote denial-of-service (DoS) attack. By sending a crafted compressed P2P payload, an unauthenticated attacker can trigger excessive memory allocation on the receiving node, leading to an out-of-memory (OOM) condition and potentially disrupting chain liveness.

Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).

Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener are vulnerable to a decompression bomb denial-of-service attack because the maxAllocation parameter is not enforced when Content-Encoding is set to br (Brotli), zstd, or snappy, allowing attackers to bypass decompression limits and cause unbounded memory allocation.