EUVD-2026-2422

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

CVE-2026-22036

Undici (HTTP/1.1 client for Node.js) contains a vulnerability in its decompression chain handling. Before versions 7.18.0 and 6.23.0, the chain can have an unbounded number of links, and the default maxHeaderSize allows a malicious server to insert thousands of compression steps, causing high CPU...

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

CVE-2026-22036

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...

Denial-of-Service (DoS)

urllib3 is vulnerable to a Denial-Of-Service DoS. The vulnerability is due to unbounded decompression of redirect response bodies in the streaming API, where urllib3 decompresses entire redirect responses regardless of read limits, allowing a malicious server to trigger excessive resource...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : urllib3 vulnerability (USN-7955-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has a package installed that is affected by a vulnerability as referenced in the USN-7955-1 advisory. It was discovered that urllib3 incorrectly handled decompression during HTTP redirects. An attacker could possibly use thi...

USN-7927-3: urllib3 regression

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in urllib3 when decompressing zstd data. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit the steps ...

USN-7927-3 python-urllib3 regression

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in urllib3 when decompressing zstd data. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit the steps ...

USN-7927-2: urllib3 regression

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in the zstd decompression component inside urllib3. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit...

USN-7927-2 python-urllib3 regression

USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471 introduced a regression in the zstd decompression component inside urllib3. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Illia Volochii discovered that urllib3 did not limit...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification via the unsafe handling of compressed HTTP request bodies when decompressing data. An attacker can exhaust system memory by sending specially crafted compressed payloads tha...

USN-7955-1 python-urllib3 vulnerability

It was discovered that urllib3 incorrectly handled decompression during HTTP redirects. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service...

USN-7955-1: urllib3 vulnerability

It was discovered that urllib3 incorrectly handled decompression during HTTP redirects. An attacker could possibly use this issue to cause urllib3 to use excessive resources, causing a denial of service...

Fedora: Security Advisory (FEDORA-2026-724d1b1044)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora 43 : python-urllib3 (2026-724d1b1044)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-724d1b1044 advisory. 2.6.3 2026-01-07 - Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were...

CVE-2023-40711

Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service out-of-memory abort via crafted packet data, as exploited in the wild in August 2023...

CVE-2022-26507

A heap-based buffer overflow exists in XML Decompression DecodeTreeBlock in AT Labs Xmill 0.7. A crafted input file can lead to remote code execution. This is not the same as any of: CVE-2021-21810, CVE-2021-21811, CVE-2021-21812, CVE-2021-21815, CVE-2021-21825, CVE-2021-21826, CVE-2021-21828,...

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

...

SUSE CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...