{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/python-packaging-index-pypi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["urllib3 (\u003c 2.7.0)"],"_cs_severities":["high"],"_cs_tags":["urllib3","header-leak","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Python Packaging Index (PyPI)"],"content_html":"\u003cp\u003eThe urllib3 library, a popular Python HTTP client, is vulnerable to sensitive header leakage (CVE-2026-44431) when handling cross-origin redirects in its low-level API. Specifically, when applications use \u003ccode\u003eHTTPConnection.urlopen()\u003c/code\u003e instances created via \u003ccode\u003eProxyManager.connection_from_url()\u003c/code\u003e and allow cross-origin redirects, sensitive headers like \u003ccode\u003eAuthorization\u003c/code\u003e, \u003ccode\u003eCookie\u003c/code\u003e, and \u003ccode\u003eProxy-Authorization\u003c/code\u003e are inadvertently forwarded to the redirect destination. This behavior can expose sensitive credentials to unintended third-party servers. This vulnerability affects urllib3 versions before 2.7.0. Defenders should prioritize upgrading urllib3 to version 2.7.0 or later to mitigate this risk and ensure proper handling of sensitive headers during redirects. If immediate upgrade is not feasible, applications should avoid using the vulnerable low-level redirect flow for cross-origin redirects and consider switching to \u003ccode\u003eProxyManager.request()\u003c/code\u003e instead.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker controls a malicious website or compromises an existing one.\u003c/li\u003e\n\u003cli\u003eA user\u0026rsquo;s application (using a vulnerable urllib3 version) initiates an HTTP request to a controlled domain.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server responds with an HTTP 302 redirect to a different, attacker-controlled origin.\u003c/li\u003e\n\u003cli\u003eThe application, using \u003ccode\u003eProxyManager.connection_from_url().urlopen(..., assert_same_host=False)\u003c/code\u003e, follows the redirect.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the application inappropriately forwards sensitive headers (Authorization, Cookie, Proxy-Authorization) along with the redirected request.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the forwarded request containing the sensitive headers, potentially including authentication tokens or session IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker captures and logs these sensitive headers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to impersonate the user or gain unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44431) can lead to the exposure of sensitive user credentials, including authentication tokens and session cookies. The impact ranges from account compromise to unauthorized access to sensitive data and resources. The number of potential victims depends on the adoption rate of vulnerable urllib3 versions and the frequency with which applications utilize the susceptible low-level redirect flow. Applications that handle authentication or authorization via HTTP headers are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to urllib3 version 2.7.0 or later to remediate the vulnerability (CVE-2026-44431), where sensitive headers are stripped from redirects followed by \u003ccode\u003eHTTPConnection\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, avoid using the low-level redirect flow (\u003ccode\u003eProxyManager.connection_from_url().urlopen(..., assert_same_host=False)\u003c/code\u003e) for cross-origin redirects.\u003c/li\u003e\n\u003cli\u003eConsider switching to \u003ccode\u003eProxyManager.request()\u003c/code\u003e if appropriate for your use case, as this high-level API strips sensitive headers during redirects by default.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect urllib3 Low-Level API Cross-Origin Redirect with Sensitive Headers\u0026rdquo; to detect potential exploitation attempts by monitoring for the vulnerable code pattern.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:53:59Z","date_published":"2026-05-11T14:53:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/","summary":"Sensitive headers (`Authorization`, `Cookie`, and `Proxy-Authorization`) are forwarded across origins in proxied low-level redirects when using `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()` in urllib3 versions before 2.7.0, potentially exposing credentials to unintended third parties; upgrade to version 2.7.0 or later to remediate this issue.","title":"urllib3 Sensitive Header Leak in Low-Level Redirects (CVE-2026-44431)","url":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["urllib3 (\u003e= 2.6.0, \u003c 2.7.0)"],"_cs_severities":["medium"],"_cs_tags":["decompression-bomb","denial-of-service","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Python Packaging Index (PyPI)"],"content_html":"\u003cp\u003eUrllib3\u0026rsquo;s streaming API, designed for efficient handling of large HTTP responses by reading content in chunks, contains a vulnerability in versions prior to 2.7.0. When decompressing content based on the HTTP \u003ccode\u003eContent-Encoding\u003c/code\u003e header (\u003ccode\u003egzip\u003c/code\u003e, \u003ccode\u003edeflate\u003c/code\u003e, \u003ccode\u003ebr\u003c/code\u003e, or \u003ccode\u003ezstd\u003c/code\u003e), the library could decompress the entire response instead of the requested portion in specific cases: when using the Brotli library during the second \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e call, or when \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e was called after the response was partially read and decompressed. This can lead to excessive resource consumption (high CPU usage and memory allocation) on the client side, creating a denial-of-service condition. The vulnerability affects applications streaming compressed responses from untrusted sources. This issue is tracked as CVE-2026-44432.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker hosts a malicious server with a compressed response (e.g., using Brotli compression) designed to trigger a decompression bomb.\u003c/li\u003e\n\u003cli\u003eA vulnerable application using urllib3 initiates a request to the attacker\u0026rsquo;s server via HTTP.\u003c/li\u003e\n\u003cli\u003eThe server responds with a small, highly compressed payload and a \u003ccode\u003eContent-Encoding\u003c/code\u003e header indicating the compression type (e.g., \u003ccode\u003ebr\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application uses urllib3\u0026rsquo;s streaming API to read the response body in chunks with \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf using Brotli, and the application calls \u003ccode\u003eHTTPResponse.read(amt=N)\u003c/code\u003e a second time, urllib3 attempts to decompress the \u003cem\u003eentire\u003c/em\u003e response body, regardless of how much data was requested.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application calls \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e after partially decompressing the response, urllib3 will attempt to decompress the rest of the payload.\u003c/li\u003e\n\u003cli\u003eThe large amount of data resulting from the decompression bomb consumes excessive CPU and memory resources on the client.\u003c/li\u003e\n\u003cli\u003eThe client application becomes unresponsive, potentially leading to a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on the client side. Applications using affected versions of urllib3 (\u0026gt;= 2.6.0, \u0026lt; 2.7.0) that process compressed data from untrusted sources are vulnerable. The primary damage is excessive CPU and memory consumption, which can render the application unusable. While the exact number of victims is unknown, any application relying on urllib3 for handling compressed HTTP responses is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to urllib3 version 2.7.0 or later to remediate CVE-2026-44432 as noted in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible and the Brotli library is being used, consider switching from the \u003ccode\u003ebrotli\u003c/code\u003e package to \u003ccode\u003ebrotlicffi\u003c/code\u003e as a temporary workaround, as described in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview your code for explicit calls to \u003ccode\u003eHTTPResponse.drain_conn()\u003c/code\u003e and replace them with \u003ccode\u003eHTTPResponse.close()\u003c/code\u003e if connection reuse is not required, as recommended in the \u003ca href=\"https://github.com/advisories/GHSA-mf9v-mfxr-j63j\"\u003eGHSA-mf9v-mfxr-j63j advisory\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:53:45Z","date_published":"2026-05-11T14:53:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/","summary":"Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).","title":"Urllib3 Decompression Bomb Vulnerability in Streaming API (CVE-2026-44432)","url":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/"}],"language":"en","title":"CraftedSignal Threat Feed — Python Packaging Index (PyPI)","version":"https://jsonfeed.org/version/1.1"}