MiracleLinux 8 : python-urllib3-1.24.2-9.el8_10 (AXSA:2026-099:02)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-099:02 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview dfir-unfurl is an Unfurl takes a URL and expands "unfurls" it into a directed graph Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification via the zlib.decompress function in the compressed data parsing process. An attacker can...

GHSA-H5QV-QJV4-PC5M Unfurl's unbounded zlib decompression allows decompression bomb DoS

Summary The compressed data parser uses zlib.decompress without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service. Details - unfurl/parsers/parsecompressed.py calls zlib.decompressdecoded with no size limit...

Unfurl's unbounded zlib decompression allows decompression bomb DoS

Summary The compressed data parser uses zlib.decompress without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service. Details - unfurl/parsers/parsecompressed.py calls zlib.decompressdecoded with no size limit...

OPENSUSE-SU-2026:20127-1 Security update for python-urllib3

This update for python-urllib3 fixes the following issues: - CVE-2025-66471: Fixed excessive resource consumption via decompression of highly compressed data in Streaming API bsc1254867 - CVE-2025-66418: Fixed resource exhaustion via unbounded number of links in the decompression chain bsc1254866...

Important: Red Hat Security Advisory: python3.11-urllib3 security update

An update for python3.11-urllib3 is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

MiracleLinux 9 : python3.12-urllib3-1.26.19-1.el9_7.1 (AXSA:2026-094:02)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-094:02 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

AlmaLinux 8 : python-urllib3 (ALSA-2026:1254)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:1254 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

SUSE-SU-2026:20189-1 Security update for python-urllib3

This update for python-urllib3 fixes the following issues: - CVE-2025-66471: Fixed excessive resource consumption via decompression of highly compressed data in Streaming API bsc1254867 - CVE-2025-66418: Fixed resource exhaustion via unbounded number of links in the decompression chain bsc1254866...

SUSE-SU-2026:20175-1 Security update for python-urllib3

This update for python-urllib3 fixes the following issues: - CVE-2025-66471: Fixed excessive resource consumption via decompression of highly compressed data in Streaming API bsc1254867 - CVE-2025-66418: Fixed resource exhaustion via unbounded number of links in the decompression chain bsc1254866...

urllib3: urllib3 Streaming API improperly handles highly compressed data

A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header e.g., gzip, deflate, br, or zstd. The library must read compressed data from the network and decompress it...

EUVD-2025-206333

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint...

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

GHSA-5F7Q-JPQC-WP7H Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

Important: Red Hat Security Advisory: RHUI 4.11.3 security update - python-urllib3

An updated version of Red Hat Update Infrastructure RHUI is now available. RHUI 4.11.3 resolves several security vulnerabilities. Red Hat Update Infrastructure RHUI provides a highly scalable and redundant framework for managing repositories and content. It also allows cloud providers to deliver...

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...