Vulnerability Report
Package: urllib3 (transitive dependency)
Installed Version: 2.5.0
CVEs
| CVE / GHSA ID |
Description |
Severity |
Fixed In |
| GHSA-38jv-5279-wg99 |
Decompression-bomb safeguards bypassed on redirects |
High |
2.6.3 |
| GHSA-2xpw-w6gg-jr37 |
Streaming API improperly handles highly compressed data |
Medium |
2.6.0 |
| GHSA-gm62-xv2j-4w53 |
Unbounded links in decompression chain |
Medium |
2.6.0 |
Details
urllib3 2.5.0 contains three vulnerabilities related to decompression handling:
- GHSA-38jv-5279-wg99 (most severe): Decompression-bomb safeguards are bypassed when following HTTP redirects, allowing a malicious server to deliver highly compressed payloads that expand to consume excessive memory.
- GHSA-2xpw-w6gg-jr37: The streaming API does not properly limit decompression of highly compressed data, leading to potential denial of service.
- GHSA-gm62-xv2j-4w53: Unbounded links in the decompression chain allow attackers to craft responses with nested compression that exhaust resources.
All three are fixed in urllib3 >= 2.6.3.
Impact
urllib3 is a transitive dependency pulled in by requests. This SDK uses requests >= 2.31.0 as a direct dependency. The vulnerability could affect any HTTP communication with untrusted servers.
Remediation
Add a minimum version constraint for urllib3 >= 2.6.3 or update requests to a version that requires a patched urllib3.
Found by osv-scanner
Vulnerability Report
Package:
urllib3(transitive dependency)Installed Version: 2.5.0
CVEs
Details
urllib32.5.0 contains three vulnerabilities related to decompression handling:All three are fixed in
urllib3 >= 2.6.3.Impact
urllib3is a transitive dependency pulled in byrequests. This SDK usesrequests >= 2.31.0as a direct dependency. The vulnerability could affect any HTTP communication with untrusted servers.Remediation
Add a minimum version constraint for
urllib3 >= 2.6.3or updaterequeststo a version that requires a patchedurllib3.Found by osv-scanner