3276 matches found
USN-7955-2 python-urllib3 regression
USN-7955-1 fixed vulnerabilities in urllib3. The update introduced a regression in response streaming on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that urllib3 incorrectly handled...
USN-7955-2: urllib3 regression
USN-7955-1 fixed vulnerabilities in urllib3. The update introduced a regression in response streaming on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that urllib3 incorrectly handled...
MiracleLinux 7 : libxml2-2.9.1-6.4.0.1.el7.AXS7 (AXSA:2020-016:01)
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-016:01 advisory. libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2016-5131 libxml2: Use after free in...
MGASA-2026-0011 Updated python-urllib3 packages fix security vulnerabilities
urllib3 allows an unbounded number of links in the decompression chain. CVE-2025-66418 urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects streaming API. CVE-2026-21441...
Updated python-urllib3 packages fix security vulnerabilities
urllib3 allows an unbounded number of links in the decompression chain. CVE-2025-66418 urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects streaming API. CVE-2026-21441...
SUSE CVE-2026-22036
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
CVE-2026-22036
A flaw was found in Undici, an HTTP/1.1 client for Node.js. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP response with an unbounded number of links in the decompression chain. This could lead to high CPU usage and excessive memory allocation, resulting in...
Unity Linux 20.1070a Security Update: kernel (UTSA-2026-004803)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004803 advisory. In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4decompresssafepartial read out of bound When partialDecoding, it is EOF if we've eith...
EulerOS 2.0 SP10 : brotli (EulerOS-SA-2026-1020)
According to the versions of the brotli package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Scrapy versions up to 2.13.2 are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The...
Ubuntu: Security Advisory (USN-7955-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002045)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002045 advisory. Multiple integer overflows in the lzo1xdecompresssafe function in lib/lzo/lzo1xdecompresssafe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow...
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Impact The fetch API supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, br. This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSi...
GHSA-G9MF-H72J-4RW9 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Impact The fetch API supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, br. This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSi...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by...
CVE-2026-22036
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
CVE-2026-22036
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
UBUNTU-CVE-2026-22036
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
CVE-2026-22036
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...