CVE-2026-21441: urllib3 Python Library DoS Vulnerability

CVE-2026-21441 Overview

urllib3, a widely-used HTTP client library for Python, contains a high-severity vulnerability in its streaming API when handling HTTP redirects. The library's streaming API is designed to efficiently handle large HTTP responses by reading content in chunks rather than loading entire response bodies into memory. However, a flaw in redirect handling allows malicious servers to bypass decompression-bomb safeguards, potentially causing excessive resource consumption on client systems.

Critical Impact
Malicious servers can exploit this vulnerability to trigger denial of service conditions through decompression bombs when applications stream content from untrusted sources with redirects enabled.

Affected Products

urllib3 versions 1.22 through 2.6.2
Python applications using urllib3 streaming API with preload_content=False
Applications that do not disable redirects when streaming from untrusted sources

Discovery Timeline

2026-01-07 - CVE CVE-2026-21441 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-21441

Vulnerability Analysis

This vulnerability stems from improper handling of HTTP redirect responses in urllib3's streaming API. When the streaming API is used with preload_content=False, the library is designed to defer content loading until explicitly requested by the application. However, for HTTP redirect responses (3xx status codes), urllib3 would read and decompress the entire response body to drain the connection, even before any read methods were called.

The core issue is that configured read limits did not restrict the amount of decompressed data during redirect processing. This means a malicious server could return a redirect response with a highly compressed payload (decompression bomb) that expands to consume excessive memory when decompressed. The vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data), which describes scenarios where applications fail to properly limit resource consumption when processing compressed data.

Root Cause

The root cause lies in the redirect handling logic within urllib3's streaming API. When processing HTTP redirects, the library performs decompression based on the Content-Encoding header (supporting gzip, deflate, br, or zstd) without applying the safeguards that normally protect against decompression bombs. The decompression occurs automatically as part of connection draining, bypassing the streaming API's intended protections that would normally limit how much data is processed at once.

Attack Vector

An attacker operating a malicious HTTP server can exploit this vulnerability by sending a redirect response with a highly compressed body. When a vulnerable urllib3 client connects to this server with streaming enabled (preload_content=False) and redirects not disabled, the client will automatically decompress the malicious payload during redirect processing. This can lead to memory exhaustion or CPU exhaustion on the client system, resulting in denial of service.

The following patch demonstrates the fix implemented in urllib3 v2.6.3:

text

+2.6.3 (TBD)
+==================
+
+Bugfixes
+--------
+
+- Fixed a high-severity security issue where decompression-bomb safeguards of
+  the streaming API were bypassed when HTTP redirects were followed.
+  (`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
+
+TODO: add other entries.
+
+
 2.6.2 (2025-12-11)
 ==================

Source: GitHub Commit

The test server implementation was also updated to support compressed redirect responses for testing:

python

    values = await request.values
    target = values.get("target", "/")
    status = values.get("status", "303 See Other")
+    compressed = values.get("compressed") == "true"
    status_code = status.split(" ")[0]

    headers = [("Location", target)]
-    return await make_response("", status_code, headers)
+    if compressed:
+        headers.append(("Content-Encoding", "gzip"))
+        data = gzip.compress(b"foo")
+    else:
+        data = b""
+    return await make_response(data, status_code, headers)

Source: GitHub Commit

Detection Methods for CVE-2026-21441

Indicators of Compromise

Unexpected memory spikes or exhaustion in Python applications using urllib3
Abnormally large amounts of decompressed data from redirect responses
HTTP redirect responses with Content-Encoding headers (gzip, deflate, br, zstd) from untrusted sources
Connection timeout or application crashes during HTTP redirect processing

Detection Strategies

Monitor Python application memory usage for sudden spikes during HTTP operations
Implement network monitoring to detect redirect responses with compressed content from external sources
Audit application code for urllib3 usage with preload_content=False and enabled redirects
Review dependency manifests for urllib3 versions between 1.22 and 2.6.2

Monitoring Recommendations

Set up alerting for abnormal memory consumption in services that interact with external HTTP endpoints
Log and monitor HTTP redirect chains, especially those containing compressed content
Implement resource limits (memory, CPU) on containers or processes that handle untrusted HTTP content
Configure application-level timeouts for HTTP operations to prevent prolonged resource consumption

How to Mitigate CVE-2026-21441

Immediate Actions Required

Upgrade urllib3 to version 2.6.3 or later immediately
If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted sources
Audit all Python applications for urllib3 streaming API usage with preload_content=False
Implement resource limits on systems that may be vulnerable to prevent complete resource exhaustion

Patch Information

The vulnerability has been fixed in urllib3 version 2.6.3. The fix ensures that the library does not decode content of redirect responses when preload_content=False is set. Users should upgrade to at least urllib3 v2.6.3 to address this vulnerability.

For detailed patch information, see the GitHub Security Advisory GHSA-38jv-5279-wg99 and the security patch commit.

Workarounds

Disable redirects by setting redirect=False on requests to untrusted sources
Avoid using preload_content=False when streaming from untrusted endpoints
Implement application-level redirect handling with content validation
Use network-level controls to block or filter compressed redirect responses from untrusted origins

bash

# Upgrade urllib3 to the patched version
pip install --upgrade urllib3>=2.6.3

# Verify the installed version
pip show urllib3 | grep Version

# For requirements.txt, update the version constraint
# urllib3>=2.6.3

CVE-2026-21441 Overview

Critical Impact
Malicious servers can exploit this vulnerability to trigger denial of service conditions through decompression bombs when applications stream content from untrusted sources with redirects enabled.

Affected Products

urllib3 versions 1.22 through 2.6.2
Python applications using urllib3 streaming API with preload_content=False
Applications that do not disable redirects when streaming from untrusted sources

Discovery Timeline

2026-01-07 - CVE CVE-2026-21441 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-21441

Vulnerability Analysis

Root Cause

Attack Vector

The following patch demonstrates the fix implemented in urllib3 v2.6.3:

text

+2.6.3 (TBD)
+==================
+
+Bugfixes
+--------
+
+- Fixed a high-severity security issue where decompression-bomb safeguards of
+  the streaming API were bypassed when HTTP redirects were followed.
+  (`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
+
+TODO: add other entries.
+
+
 2.6.2 (2025-12-11)
 ==================

Source: GitHub Commit

The test server implementation was also updated to support compressed redirect responses for testing:

python

    values = await request.values
    target = values.get("target", "/")
    status = values.get("status", "303 See Other")
+    compressed = values.get("compressed") == "true"
    status_code = status.split(" ")[0]

    headers = [("Location", target)]
-    return await make_response("", status_code, headers)
+    if compressed:
+        headers.append(("Content-Encoding", "gzip"))
+        data = gzip.compress(b"foo")
+    else:
+        data = b""
+    return await make_response(data, status_code, headers)

Source: GitHub Commit

Detection Methods for CVE-2026-21441

Indicators of Compromise

Unexpected memory spikes or exhaustion in Python applications using urllib3
Abnormally large amounts of decompressed data from redirect responses
HTTP redirect responses with Content-Encoding headers (gzip, deflate, br, zstd) from untrusted sources
Connection timeout or application crashes during HTTP redirect processing

Detection Strategies

Monitor Python application memory usage for sudden spikes during HTTP operations
Implement network monitoring to detect redirect responses with compressed content from external sources
Audit application code for urllib3 usage with preload_content=False and enabled redirects
Review dependency manifests for urllib3 versions between 1.22 and 2.6.2

Monitoring Recommendations

Set up alerting for abnormal memory consumption in services that interact with external HTTP endpoints
Log and monitor HTTP redirect chains, especially those containing compressed content
Implement resource limits (memory, CPU) on containers or processes that handle untrusted HTTP content
Configure application-level timeouts for HTTP operations to prevent prolonged resource consumption

How to Mitigate CVE-2026-21441

Immediate Actions Required

Upgrade urllib3 to version 2.6.3 or later immediately
If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted sources
Audit all Python applications for urllib3 streaming API usage with preload_content=False
Implement resource limits on systems that may be vulnerable to prevent complete resource exhaustion

Patch Information

For detailed patch information, see the GitHub Security Advisory GHSA-38jv-5279-wg99 and the security patch commit.

Workarounds

Disable redirects by setting redirect=False on requests to untrusted sources
Avoid using preload_content=False when streaming from untrusted endpoints
Implement application-level redirect handling with content validation
Use network-level controls to block or filter compressed redirect responses from untrusted origins

bash

# Upgrade urllib3 to the patched version
pip install --upgrade urllib3>=2.6.3

# Verify the installed version
pip show urllib3 | grep Version

# For requirements.txt, update the version constraint
# urllib3>=2.6.3

CVE-2026-21441: urllib3 Python Library DoS Vulnerability

CVE-2026-21441 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21441

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21441

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21441

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-21441: urllib3 Python Library DoS Vulnerability

CVE-2026-21441 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21441

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21441

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21441

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform