Lucene search
+L

91 matches found

Vulnrichment
Vulnrichment
added 2026/01/14 7:7 p.m.4 views

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

5.9CVSS6.3AI score0.00433EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/14 7:7 p.m.2 views

CVE-2026-22036

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

7.5CVSS5.5AI score0.00433EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/01/14 7:7 p.m.6 views

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

5.9CVSS6.7AI score0.00433EPSS
Exploits0References4
Ubuntu
Ubuntu
added 2026/01/12 9:26 p.m.6 views

USN-7927-2: urllib3 regression

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in the zstd decompression component inside urllib3. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit...

8.9CVSS7.4AI score0.00633EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.11 views

PT-2026-2950

Name of the Vulnerable Software and Affected Versions Undici versions prior to 7.18.0 Undici versions prior to 6.23.0 Description Undici is an HTTP/1.1 client for Node.js. A malicious server can insert thousands of compression steps due to an unbounded number of links in the decompression chain a...

7.5CVSS6.6AI score0.00433EPSS
Exploits0References77
Veracode
Veracode
added 2025/12/13 7:33 a.m.8 views

Denial Of Service (DoS)

urllib3 is vulnerable to a Denial-Of-Service DoS. The vulnerability is due to an unbounded decompression chain, where nested compression layers are not limited, allowing a malicious server to send specially crafted responses that trigger excessive CPU usage and large memory allocation during...

8.9CVSS7.4AI score0.00633EPSS
Exploits0References2Affected Software2
SUSE CVE
SUSE CVE
added 2025/12/12 12:24 a.m.3 views

SUSE CVE-2025-66418

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

5.3CVSS6.8AI score0.00633EPSS
Exploits0References23
OpenVAS
OpenVAS
added 2025/12/12 12:0 a.m.1 views

Ubuntu: Security Advisory (USN-7927-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

8.9CVSS6.8AI score0.00633EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2025/12/12 12:0 a.m.6 views

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : urllib3 vulnerabilities (USN-7927-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7927-1 advisory. Illia Volochii discovered that urllib3 did not limit the steps in a decompression chain. An attacker could possib...

8.9CVSS7.4AI score0.00633EPSS
Exploits0References3
Microsoft CVE
Microsoft CVE
added 2025/12/10 9:2 a.m.6 views

urllib3 allows an unbounded number of links in the decompression chain

...

8.9CVSS7AI score0.00633EPSS
Exploits0
OSV
OSV
added 2025/12/05 6:15 p.m.4 views

GHSA-GM62-XV2J-4W53 urllib3 allows an unbounded number of links in the decompression chain

Impact urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, zstd. However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps...

8.9CVSS6.7AI score0.00633EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/12/05 4:2 p.m.29 views

CVE-2025-66418 urllib3 allows an unbounded number of links in the decompression chain

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

8.9CVSS0.00633EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/12/05 12:0 a.m.9 views

urllib3 安全漏洞

urllib3 is a Python HTTP library open-sourced by urllib3. It features thread-safe connection pooling, file publishing support, and more. A security vulnerability exists in urllib3 version 1.24 up to and including version 2.6.0, which stems from an unlimited number of links in the decompression...

8.9CVSS7.4AI score0.00633EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2024/07/03 12:0 a.m.25 views

CBL Mariner 2.0 Security Update: cmake / curl / mysql / rust / tensorflow (CVE-2023-23916)

The version of cmake / curl / mysql / rust / tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-23916 advisory. - An allocation of resources without limits or throttling vulnerability exis...

6.5CVSS6.7AI score0.01703EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2023/07/18 8:33 a.m.7 views

curl: HTTP multi-header compression denial of service

A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors...

6.5CVSS6.8AI score0.01703EPSS
Exploits1References5
IBM Security Bulletins
IBM Security Bulletins
added 2023/06/19 12:14 p.m.43 views

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol

Summary Multiple issues were identified in Red Hat UBI packages libcurl, openssl, gnutls, libarchive and libsepol that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. Vulnerability Details CVEID:CVE-2023-0286 DESCRIPTION: OpenSSL is vulnerable to a denial of...

9.1CVSS8.1AI score0.59501EPSS
Exploits4Affected Software1
RedHat Linux
RedHat Linux
added 2023/06/06 8:36 a.m.4 views

curl: HTTP compression denial of service

A vulnerability was found in curl. This issue occurs because the number of acceptable "links" in the "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a...

6.5CVSS6.7AI score0.3197EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2023/06/05 12:30 p.m.8 views

curl: HTTP multi-header compression denial of service

A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors...

6.5CVSS6.8AI score0.01703EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2023/06/05 11:46 a.m.7 views

curl: HTTP multi-header compression denial of service

A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors...

6.5CVSS6.8AI score0.01703EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2023/04/13 12:0 a.m.48 views

EulerOS 2.0 SP8 : curl (EulerOS-SA-2023-1590)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the 'chained' HTTP compression algorithms,...

6.5CVSS6.7AI score0.01703EPSS
Exploits1References2
Rows per page
Query Builder