Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21441

CVE-2026-21441: urllib3 Python Library DoS Vulnerability

CVE-2026-21441 is a denial of service vulnerability in urllib3, a Python HTTP client library. Attackers can exploit decompression bombs in redirect responses to exhaust client resources. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-21441 Overview

urllib3, a widely-used HTTP client library for Python, contains a high-severity vulnerability in its streaming API when handling HTTP redirects. The library's streaming API is designed to efficiently handle large HTTP responses by reading content in chunks rather than loading entire response bodies into memory. However, a flaw in redirect handling allows malicious servers to bypass decompression-bomb safeguards, potentially causing excessive resource consumption on client systems.

Critical Impact

Malicious servers can exploit this vulnerability to trigger denial of service conditions through decompression bombs when applications stream content from untrusted sources with redirects enabled.

Affected Products

  • urllib3 versions 1.22 through 2.6.2
  • Python applications using urllib3 streaming API with preload_content=False
  • Applications that do not disable redirects when streaming from untrusted sources

Discovery Timeline

  • 2026-01-07 - CVE CVE-2026-21441 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-21441

Vulnerability Analysis

This vulnerability stems from improper handling of HTTP redirect responses in urllib3's streaming API. When the streaming API is used with preload_content=False, the library is designed to defer content loading until explicitly requested by the application. However, for HTTP redirect responses (3xx status codes), urllib3 would read and decompress the entire response body to drain the connection, even before any read methods were called.

The core issue is that configured read limits did not restrict the amount of decompressed data during redirect processing. This means a malicious server could return a redirect response with a highly compressed payload (decompression bomb) that expands to consume excessive memory when decompressed. The vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data), which describes scenarios where applications fail to properly limit resource consumption when processing compressed data.

Root Cause

The root cause lies in the redirect handling logic within urllib3's streaming API. When processing HTTP redirects, the library performs decompression based on the Content-Encoding header (supporting gzip, deflate, br, or zstd) without applying the safeguards that normally protect against decompression bombs. The decompression occurs automatically as part of connection draining, bypassing the streaming API's intended protections that would normally limit how much data is processed at once.

Attack Vector

An attacker operating a malicious HTTP server can exploit this vulnerability by sending a redirect response with a highly compressed body. When a vulnerable urllib3 client connects to this server with streaming enabled (preload_content=False) and redirects not disabled, the client will automatically decompress the malicious payload during redirect processing. This can lead to memory exhaustion or CPU exhaustion on the client system, resulting in denial of service.

The following patch demonstrates the fix implemented in urllib3 v2.6.3:

text
+2.6.3 (TBD)
+==================
+
+Bugfixes
+--------
+
+- Fixed a high-severity security issue where decompression-bomb safeguards of
+  the streaming API were bypassed when HTTP redirects were followed.
+  (`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
+
+TODO: add other entries.
+
+
 2.6.2 (2025-12-11)
 ==================
 

Source: GitHub Commit

The test server implementation was also updated to support compressed redirect responses for testing:

python
    values = await request.values
    target = values.get("target", "/")
    status = values.get("status", "303 See Other")
+    compressed = values.get("compressed") == "true"
    status_code = status.split(" ")[0]

    headers = [("Location", target)]
-    return await make_response("", status_code, headers)
+    if compressed:
+        headers.append(("Content-Encoding", "gzip"))
+        data = gzip.compress(b"foo")
+    else:
+        data = b""
+    return await make_response(data, status_code, headers)

Source: GitHub Commit

Detection Methods for CVE-2026-21441

Indicators of Compromise

  • Unexpected memory spikes or exhaustion in Python applications using urllib3
  • Abnormally large amounts of decompressed data from redirect responses
  • HTTP redirect responses with Content-Encoding headers (gzip, deflate, br, zstd) from untrusted sources
  • Connection timeout or application crashes during HTTP redirect processing

Detection Strategies

  • Monitor Python application memory usage for sudden spikes during HTTP operations
  • Implement network monitoring to detect redirect responses with compressed content from external sources
  • Audit application code for urllib3 usage with preload_content=False and enabled redirects
  • Review dependency manifests for urllib3 versions between 1.22 and 2.6.2

Monitoring Recommendations

  • Set up alerting for abnormal memory consumption in services that interact with external HTTP endpoints
  • Log and monitor HTTP redirect chains, especially those containing compressed content
  • Implement resource limits (memory, CPU) on containers or processes that handle untrusted HTTP content
  • Configure application-level timeouts for HTTP operations to prevent prolonged resource consumption

How to Mitigate CVE-2026-21441

Immediate Actions Required

  • Upgrade urllib3 to version 2.6.3 or later immediately
  • If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted sources
  • Audit all Python applications for urllib3 streaming API usage with preload_content=False
  • Implement resource limits on systems that may be vulnerable to prevent complete resource exhaustion

Patch Information

The vulnerability has been fixed in urllib3 version 2.6.3. The fix ensures that the library does not decode content of redirect responses when preload_content=False is set. Users should upgrade to at least urllib3 v2.6.3 to address this vulnerability.

For detailed patch information, see the GitHub Security Advisory GHSA-38jv-5279-wg99 and the security patch commit.

Workarounds

  • Disable redirects by setting redirect=False on requests to untrusted sources
  • Avoid using preload_content=False when streaming from untrusted endpoints
  • Implement application-level redirect handling with content validation
  • Use network-level controls to block or filter compressed redirect responses from untrusted origins
bash
# Upgrade urllib3 to the patched version
pip install --upgrade urllib3>=2.6.3

# Verify the installed version
pip show urllib3 | grep Version

# For requirements.txt, update the version constraint
# urllib3>=2.6.3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.