Pquentin

**Name of the Vulnerable Software and Affected Versions** urllib3 versions 1.22 through 2.6.2 **Description** urllib3 is a Python HTTP client library. Its streaming API is designed for efficient handling of large HTTP responses by reading content in chunks. The library decompresses content based on the HTTP `Content-Encoding` header, such as `gzip`, `deflate`, `br`, or `zstd`. When using the streaming API with HTTP redirects and `preload content` set to `False`, versions prior to 2.6.3 would unnecessarily read and decompress the entire response body, even before any read methods were called. Configured read limits did not restrict the amount of decompressed data, creating a risk of decompression bombs. A malicious server could exploit this to cause excessive resource consumption on the client. Applications and libraries are affected when streaming content from untrusted sources without disabling redirects. **Recommendations** Upgrade to urllib3 version 2.6.3 or later. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted sources.