Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN055
_____________________________________________________________________

DATE                : 20/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running urllib3 versions prior to
                                         2.6.3.

=====================================================================
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
_____________________________________________________________________

Decompression-bomb safeguards bypassed when following HTTP redirects 
(streaming API)
High
illia-v published GHSA-38jv-5279-wg99 Jan 7, 2026

Package
urllib3 (pip)

Affected versions
>=1.22,<2.6.3

Patched versions
2.6.3


Description


Impact

urllib3's streaming API is designed for the efficient handling of 
large HTTP responses by reading the content in chunks, rather than 
loading the entire response body into memory at once.

urllib3 can perform decoding or decompression based on the HTTP 
Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using 
the streaming API, the library decompresses only the necessary bytes, 
enabling partial content consumption.

However, for HTTP redirect responses, the library would read the 
entire response body to drain the connection and decompress the 
content unnecessarily. This decompression occurred even before any 
read methods were called, and configured read limits did not restrict 
the amount of decompressed data. As a result, there was no safeguard 
against decompression bombs. A malicious server could exploit this to 
trigger excessive resource consumption on the client (high CPU usage 
and large memory allocations for decompressed data; CWE-409).


Affected usages

Applications and libraries using urllib3 version 2.6.2 and earlier to 
stream content from untrusted sources by setting preload_content=False 
when they do not disable redirects.


Remediation

Upgrade to at least urllib3 v2.6.3 in which the library does not 
decode content of redirect responses when preload_content=False.

If upgrading is not immediately possible, disable redirects by setting 
redirect=False for requests to untrusted source.


Severity
High
8.9/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CVE ID
CVE-2026-21441

Weaknesses
Weakness CWE-409


Credits

    @D47A D47A Reporter
    @illia-v illia-v Coordinator
    @pquentin pquentin Remediation reviewer
    @sethmlarson sethmlarson Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================