DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21441: The Invisible Avalanche: urllib3 Decompression Bomb

#security #cve #cybersecurity

The Invisible Avalanche: urllib3 Decompression Bomb

Vulnerability ID: CVE-2026-21441
CVSS Score: 8.9
Published: 2026-01-07

A resource exhaustion vulnerability in the ubiquitous urllib3 Python library allows attackers to crash applications via malicious HTTP redirects containing compressed 'bombs'.

TL;DR

When using urllib3's streaming API, the library automatically follows redirects. During this process, it attempts to 'drain' and clean up the connection of the redirect response. Due to a default argument oversight, this cleanup process decompressed the response body. An attacker can serve a small, highly compressed payload (a zip bomb) inside a 302 Redirect, causing the client to exhaust memory and crash while attempting to process the internal redirect.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-409
  • Attack Vector: Network
  • CVSS 4.0: 8.9 (High)
  • Impact: Denial of Service (Resource Exhaustion)
  • Affected Component: HTTPResponse.drain_conn
  • Prerequisites: preload_content=False AND redirects enabled

Affected Systems

  • Python applications using urllib3 directly
  • Python applications using the requests library (depending on version coupling)
  • Web scrapers and crawlers
  • Webhook handlers
  • CI/CD pipelines fetching external resources
  • urllib3: >= 1.22, < 2.6.3 (Fixed in: 2.6.3)

Code Analysis

Commit: 8864ac4

Prevent decoding content during connection drain

def drain_conn(self):
-    self.read()
+    self.read(decode_content=self._has_decoded_content)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Use a Flask server to return a gzip-encoded body with a 302 status.

Mitigation Strategies

  • Upgrade urllib3 to version 2.6.3 or higher.
  • Disable automatic redirects (redirect=False) when using preload_content=False.

Remediation Steps:

  1. Check your current version: pip show urllib3
  2. Update the package: pip install --upgrade urllib3
  3. Verify the version is >= 2.6.3
  4. Audit codebases for preload_content=False usage.

References

Read the full report for CVE-2026-21441 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)