Impact
An attacker can cause a denial of service (DoS) by serving a maliciously crafted, highly compressed HTTP response to an application using urllib3 [S1]. When the application processes this response using the streaming API, the automatic decompression can exhaust system memory or CPU resources [S1].
Root Cause
urllib3's streaming API is designed to handle large HTTP responses efficiently by reading content in chunks [S1]. However, the library can perform automatic decoding or decompression based on response headers [S1]. This mechanism lacks sufficient protections against "decompression bombs"—small compressed payloads that expand into massive amounts of data—leading to uncontrolled resource consumption (CWE-409) [S1].
Detection and Mitigation
FixVibe can identify vulnerable versions of the urllib3 library in dependency manifests such as requirements.txt or poetry.lock [S1]. To mitigate this risk, users should upgrade to the latest version of urllib3 where decompression limits or safer defaults have been implemented [S1]. If an immediate upgrade is not possible, developers should consider manually inspecting Content-Length headers before decompression or disabling automatic decompression for untrusted sources [S1].
