HIGH

GHSA-gm62-xv2j-4w53

urllib3 allows an unbounded number of links in the decompression chain

Details

## Impact

urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`).

However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

## Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.

## Remediation

Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.

If upgrading is not immediately possible, use [`preload_content=False`](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) and ensure that `resp.headers["content-encoding"]` contains a safe number of encodings before reading the response content.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / urllib3

Introduced in: 1.24 Fixed in: 2.6.0

Fix pip install --upgrade 'urllib3>=2.6.0'

Details

Are you affected?

Affected packages

References