CVE-2026-21441
Denial of Service vulnerability in urllib3 (PyPI)
What is CVE-2026-21441 About?
This vulnerability in urllib3's streaming API allows a malicious server to trigger excessive resource consumption through decompression bombs when handling HTTP redirect responses. It enables a denial-of-service attack on the client, causing high CPU usage and large memory allocations. Exploitation is relatively straightforward for an attacker controlling a server that clients interact with.
Affected Software
Technical Details
The urllib3 streaming API, designed for chunked reading of large HTTP responses, performs content decoding/decompression based on the Content-Encoding header (e.g., gzip, deflate, br, zstd). For HTTP redirect responses, prior to urllib3 v2.6.3, the library would unnecessarily read and decompress the entire response body, even before any read methods were invoked and without honor configured read limits. This behavior creates a vulnerability to decompression bombs (CWE-409): a malicious server can send a small, highly compressed payload that expands to an enormous size upon decompression. When preload_content=False is used, and redirects are not disabled, this leads to excessive resource consumption (high CPU and memory) on the client, effectively facilitating a denial-of-service attack.
What is the Impact of CVE-2026-21441?
Successful exploitation may allow attackers to consume excessive client resources (CPU and memory) through decompression bombs, leading to denial of service, application crashes, or system instability for applications using urllib3 to stream content from untrusted sources.
What is the Exploitability of CVE-2026-21441?
Exploitation is relatively low complexity for an attacker who controls the server from which the victim client is requesting content. No authentication is required on the client side, as the vulnerability affects how urllib3 processes untrusted server responses. No specific privilege requirements exist for the attacker, beyond operating a malicious server. The attack is remote, carried out by sending a crafted HTTP redirect response. The special conditions include the victim client using urllib3 versions up to 2.6.2, making requests with preload_content=False, and not disabling redirects. Risk factors are significantly increased when clients interact with untrusted or potentially compromised HTTP servers, as the attack is passive from the client's perspective after initiating a connection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-21441?
Available Upgrade Options
- urllib3
- >=1.22, <2.6.3 → Upgrade to 2.6.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-38jv-5279-wg99
- https://github.com/urllib3/urllib3
- https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
- https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
- https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99
- https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
What are Similar Vulnerabilities to CVE-2026-21441?
Similar Vulnerabilities: CVE-2023-23963 , CVE-2022-26155 , CVE-2021-36085 , CVE-2020-28491 , CVE-2019-14250
