https://feed.craftedsignal.io/vendors/python-packaging-index-pypi/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 11 May 2026 14:53:59 +0000https://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/Mon, 11 May 2026 14:53:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/Sensitive headers (`Authorization`, `Cookie`, and `Proxy-Authorization`) are forwarded across origins in proxied low-level redirects when using `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()` in urllib3 versions before 2.7.0, potentially exposing credentials to unintended third parties; upgrade to version 2.7.0 or later to remediate this issue.The urllib3 library, a popular Python HTTP client, is vulnerable to sensitive header leakage (CVE-2026-44431) when handling cross-origin redirects in its low-level API. Specifically, when applications use HTTPConnection.urlopen() instances created via ProxyManager.connection_from_url() and allow cross-origin redirects, sensitive headers like Authorization, Cookie, and Proxy-Authorization are inadvertently forwarded to the redirect destination. This behavior can expose sensitive credentials to unintended third-party servers. This vulnerability affects urllib3 versions before 2.7.0. Defenders should prioritize upgrading urllib3 to version 2.7.0 or later to mitigate this risk and ensure proper handling of sensitive headers during redirects. If immediate upgrade is not feasible, applications should avoid using the vulnerable low-level redirect flow for cross-origin redirects and consider switching to ProxyManager.request() instead.

Attack Chain

1. The attacker controls a malicious website or compromises an existing one.
2. A user’s application (using a vulnerable urllib3 version) initiates an HTTP request to a controlled domain.
3. The attacker’s server responds with an HTTP 302 redirect to a different, attacker-controlled origin.
4. The application, using ProxyManager.connection_from_url().urlopen(..., assert_same_host=False), follows the redirect.
5. Due to the vulnerability, the application inappropriately forwards sensitive headers (Authorization, Cookie, Proxy-Authorization) along with the redirected request.
6. The attacker’s server receives the forwarded request containing the sensitive headers, potentially including authentication tokens or session IDs.
7. The attacker captures and logs these sensitive headers.
8. The attacker uses the captured credentials to impersonate the user or gain unauthorized access to protected resources.

Impact

Successful exploitation of this vulnerability (CVE-2026-44431) can lead to the exposure of sensitive user credentials, including authentication tokens and session cookies. The impact ranges from account compromise to unauthorized access to sensitive data and resources. The number of potential victims depends on the adoption rate of vulnerable urllib3 versions and the frequency with which applications utilize the susceptible low-level redirect flow. Applications that handle authentication or authorization via HTTP headers are particularly at risk.

Recommendation

• Upgrade to urllib3 version 2.7.0 or later to remediate the vulnerability (CVE-2026-44431), where sensitive headers are stripped from redirects followed by HTTPConnection.
• If upgrading is not immediately possible, avoid using the low-level redirect flow (ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)) for cross-origin redirects.
• Consider switching to ProxyManager.request() if appropriate for your use case, as this high-level API strips sensitive headers during redirects by default.
• Deploy the Sigma rule “Detect urllib3 Low-Level API Cross-Origin Redirect with Sensitive Headers” to detect potential exploitation attempts by monitoring for the vulnerable code pattern.

]]>highadvisoryurllib3header-leakvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/Mon, 11 May 2026 14:53:45 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-urllib3-decompression-bomb/Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).Urllib3’s streaming API, designed for efficient handling of large HTTP responses by reading content in chunks, contains a vulnerability in versions prior to 2.7.0. When decompressing content based on the HTTP Content-Encoding header (gzip, deflate, br, or zstd), the library could decompress the entire response instead of the requested portion in specific cases: when using the Brotli library during the second HTTPResponse.read(amt=N) call, or when HTTPResponse.drain_conn() was called after the response was partially read and decompressed. This can lead to excessive resource consumption (high CPU usage and memory allocation) on the client side, creating a denial-of-service condition. The vulnerability affects applications streaming compressed responses from untrusted sources. This issue is tracked as CVE-2026-44432.

Attack Chain

1. An attacker hosts a malicious server with a compressed response (e.g., using Brotli compression) designed to trigger a decompression bomb.
2. A vulnerable application using urllib3 initiates a request to the attacker’s server via HTTP.
3. The server responds with a small, highly compressed payload and a Content-Encoding header indicating the compression type (e.g., br).
4. The application uses urllib3’s streaming API to read the response body in chunks with HTTPResponse.read(amt=N).
5. If using Brotli, and the application calls HTTPResponse.read(amt=N) a second time, urllib3 attempts to decompress the entire response body, regardless of how much data was requested.
6. Alternatively, if the application calls HTTPResponse.drain_conn() after partially decompressing the response, urllib3 will attempt to decompress the rest of the payload.
7. The large amount of data resulting from the decompression bomb consumes excessive CPU and memory resources on the client.
8. The client application becomes unresponsive, potentially leading to a denial-of-service condition.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition on the client side. Applications using affected versions of urllib3 (>= 2.6.0, < 2.7.0) that process compressed data from untrusted sources are vulnerable. The primary damage is excessive CPU and memory consumption, which can render the application unusable. While the exact number of victims is unknown, any application relying on urllib3 for handling compressed HTTP responses is potentially at risk.

Recommendation

• Upgrade to urllib3 version 2.7.0 or later to remediate CVE-2026-44432 as noted in the GHSA-mf9v-mfxr-j63j advisory.
• If upgrading is not immediately possible and the Brotli library is being used, consider switching from the brotli package to brotlicffi as a temporary workaround, as described in the GHSA-mf9v-mfxr-j63j advisory.
• Review your code for explicit calls to HTTPResponse.drain_conn() and replace them with HTTPResponse.close() if connection reuse is not required, as recommended in the GHSA-mf9v-mfxr-j63j advisory.

]]>mediumadvisorydecompression-bombdenial-of-servicevulnerability