FixVibe
Research notehigh

urllib3 Decompression Bomb Vulnerability (CVE-2026-21441)

urllib3, a widely used Python HTTP client library, contains a vulnerability in its streaming API. When handling large HTTP responses in chunks, the library can perform automatic decoding or decompression. Maliciously crafted compressed responses (decompression bombs) can lead to excessive resource consumption and denial of service.

CVE-2026-21441CWE-409

Impact

An attacker can cause a denial of service (DoS) by serving a maliciously crafted, highly compressed HTTP response to an application using urllib3 [S1]. When the application processes this response using the streaming API, the automatic decompression can exhaust system memory or CPU resources [S1].

Root Cause

urllib3's streaming API is designed to handle large HTTP responses efficiently by reading content in chunks [S1]. However, the library can perform automatic decoding or decompression based on response headers [S1]. This mechanism lacks sufficient protections against "decompression bombs"—small compressed payloads that expand into massive amounts of data—leading to uncontrolled resource consumption (CWE-409) [S1].

Detection and Mitigation

FixVibe can identify vulnerable versions of the urllib3 library in dependency manifests such as requirements.txt or poetry.lock [S1]. To mitigate this risk, users should upgrade to the latest version of urllib3 where decompression limits or safer defaults have been implemented [S1]. If an immediate upgrade is not possible, developers should consider manually inspecting Content-Length headers before decompression or disabling automatic decompression for untrusted sources [S1].

urllib3 Decompression Bomb Vulnerability (CVE-2026-21441) — FixVibe research · FixVibe