[GHSA-38jv-5279-wg99] urllib3@2.5.0: decompression bomb vulnerabilities #380
Description
Vulnerability Report
Package: urllib3 (transitive dependency)
Installed Version: 2.5.0
CVEs
| CVE / GHSA ID | Description | Severity | Fixed In |
|---|---|---|---|
| GHSA-38jv-5279-wg99 | Decompression-bomb safeguards bypassed on redirects | High | 2.6.3 |
| GHSA-2xpw-w6gg-jr37 | Streaming API improperly handles highly compressed data | Medium | 2.6.0 |
| GHSA-gm62-xv2j-4w53 | Unbounded links in decompression chain | Medium | 2.6.0 |
Details
urllib3 2.5.0 contains three vulnerabilities related to decompression handling:
- GHSA-38jv-5279-wg99 (most severe): Decompression-bomb safeguards are bypassed when following HTTP redirects, allowing a malicious server to deliver highly compressed payloads that expand to consume excessive memory.
- GHSA-2xpw-w6gg-jr37: The streaming API does not properly limit decompression of highly compressed data, leading to potential denial of service.
- GHSA-gm62-xv2j-4w53: Unbounded links in the decompression chain allow attackers to craft responses with nested compression that exhaust resources.
All three are fixed in urllib3 >= 2.6.3.
Impact
urllib3 is a transitive dependency pulled in by requests. This SDK uses requests >= 2.31.0 as a direct dependency. The vulnerability could affect any HTTP communication with untrusted servers.
Remediation
Add a minimum version constraint for urllib3 >= 2.6.3 or update requests to a version that requires a patched urllib3.
Found by osv-scanner