Update dependency urllib3 to v2.7.0 [SECURITY]#1913
Merged
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
ee206ec to
34eaa32
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
34eaa32 to
6223bfb
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
2 times, most recently
from
6223bfb to
07e1047
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
07e1047 to
38fddbf
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
38fddbf to
56279fa
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
56279fa to
d9e0dee
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
d9e0dee to
c8556d6
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
c8556d6 to
58f8b73
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
58f8b73 to
c7f5dcb
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
c7f5dcb to
fb9c344
Compare
renovate
Bot
force-pushed
the
renovate/pypi-urllib3-vulnerability
branch
from
fb9c344 to
2262fca
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.6.3→==2.7.0urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
CVE-2026-44432 / GHSA-mf9v-mfxr-j63j
More information
Details
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
urllib3 can perform decompression based on the HTTP
Content-Encodingheader (e.g.,gzip,deflate,br, orzstd). When using the streaming API since version 2.6.0, the library decompresses only the necessary bytes, enabling partial content consumption.However, urllib3 before version 2.7.0 could still decompress the whole response instead of the requested portion in two cases:
HTTPResponse.read(amt=N)call when the response was decompressed using the official Brotli library.HTTPResponse.drain_conn()was called after the response had been read and decompressed partially (compression algorithm did not matter here).These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side.
Affected usages
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected when streaming compressed responses from untrusted sources in either of these cases, unless decompression is explicitly disabled:
bris read incrementally with at least twoHTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)calls while using the official Brotli library.HTTPResponse.drain_conn()is called after response decompression has already started.Remediation
Upgrade to at least urllib3 version 2.7.0 in which the library:
HTTPResponse.drain_conn().If upgrading is not immediately possible, the following workarounds may reduce exposure in specific cases:
HTTPResponse.drain_conn(), callHTTPResponse.close()instead when connection reuse is not important.Credits
The Brotli-specific issue was reported by @kimkou2024.
HTTPResponse.drain_conn()inefficiency was reported by @Cycloctane.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
CVE-2026-44431 / GHSA-qccp-gfcp-xxvc
More information
Details
Impact
When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as
urllib3.request(),PoolManager.request(), andProxyManager.request(), sensitive headers —Authorization,Cookie, andProxy-Authorization(defined inRetry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) — are stripped by default, as expected.However, cross-origin redirects followed from the low-level API via
ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)still forward these sensitive headers.Affected usage
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through
HTTPConnection.urlopen()instances created viaProxyManager.connection_from_url().Remediation
Upgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by
HTTPConnection.If upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to
ProxyManager.request().Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
CVE-2026-44432 / GHSA-mf9v-mfxr-j63j / PYSEC-2026-142
More information
Details
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
urllib3 can perform decompression based on the HTTP
Content-Encodingheader (e.g.,gzip,deflate,br, orzstd). When using the streaming API since version 2.6.0, the library decompresses only the necessary bytes, enabling partial content consumption.However, urllib3 before version 2.7.0 could still decompress the whole response instead of the requested portion in two cases:
HTTPResponse.read(amt=N)call when the response was decompressed using the official Brotli library.HTTPResponse.drain_conn()was called after the response had been read and decompressed partially (compression algorithm did not matter here).These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side.
Affected usages
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected when streaming compressed responses from untrusted sources in either of these cases, unless decompression is explicitly disabled:
bris read incrementally with at least twoHTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)calls while using the official Brotli library.HTTPResponse.drain_conn()is called after response decompression has already started.Remediation
Upgrade to at least urllib3 version 2.7.0 in which the library:
HTTPResponse.drain_conn().If upgrading is not immediately possible, the following workarounds may reduce exposure in specific cases:
HTTPResponse.drain_conn(), callHTTPResponse.close()instead when connection reuse is not important.Credits
The Brotli-specific issue was reported by @kimkou2024.
HTTPResponse.drain_conn()inefficiency was reported by @Cycloctane.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
CVE-2026-44431 / GHSA-qccp-gfcp-xxvc / PYSEC-2026-141
More information
Details
Impact
When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as
urllib3.request(),PoolManager.request(), andProxyManager.request(), sensitive headers —Authorization,Cookie, andProxy-Authorization(defined inRetry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) — are stripped by default, as expected.However, cross-origin redirects followed from the low-level API via
ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)still forward these sensitive headers.Affected usage
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through
HTTPConnection.urlopen()instances created viaProxyManager.connection_from_url().Remediation
Upgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by
HTTPConnection.If upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to
ProxyManager.request().Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2026-44431 / GHSA-qccp-gfcp-xxvc / PYSEC-2026-141
More information
Details
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
CVE-2026-44432 / GHSA-mf9v-mfxr-j63j / PYSEC-2026-142
More information
Details
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Release Notes
urllib3/urllib3 (urllib3)
v2.7.0Compare Source
=======================
Security
Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.
Decompression-bomb safeguards of the streaming API were bypassed:
HTTPResponse.drain_conn()was called after the response had beenread and decompressed partially.
HTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)call when the response was decompressedusing the official
Brotli <https://pypi.org/project/brotli/>__ library.See
GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__for details.
HTTP pools created using
ProxyManager.connection_from_urldid not stripsensitive headers specified in
Retry.remove_headers_on_redirectwhenredirecting to a different host.
(
GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)Deprecations and Removals
FutureWarninginstead ofDeprecationWarningfor bettervisibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(
#​3763 <https://github.com/urllib3/urllib3/issues/3763>__)(
#​3720 <https://github.com/urllib3/urllib3/issues/3720>__)(
#​4979 <https://github.com/urllib3/urllib3/issues/4979>__)(
#​3777 <https://github.com/urllib3/urllib3/issues/3777>__)Bugfixes
HTTPResponse.read(amt=None)was ignoring decompresseddata buffered from previous partial reads.
(
#​3636 <https://github.com/urllib3/urllib3/issues/3636>__)HTTPResponse.read()could cache only part of theresponse after a partial read when
cache_content=True.(
#​4967 <https://github.com/urllib3/urllib3/issues/4967>__)HTTPResponse.stream()andHTTPResponse.read_chunked()to handleamt=0.(
#​3793 <https://github.com/urllib3/urllib3/issues/3793>__)_TYPE_BODYtype alias to include missingIterable[str],matching the documented and runtime behavior of chunked request bodies.
(
#​3798 <https://github.com/urllib3/urllib3/issues/3798>__)LocationParseErrorwhen paths resembling schemeless URIs werepassed to
HTTPConnectionPool.urlopen().(
#​3352 <https://github.com/urllib3/urllib3/issues/3352>__)BaseHTTPResponse.readinto()type annotation to acceptmemoryviewin addition tobytearray, matching theio.RawIOBase.readintocontract and enabling use withio.BufferedReaderwithout type errors.(
#​3764 <https://github.com/urllib3/urllib3/issues/3764>__)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.