CVE-2026-21441

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.22 through 2.6.2

Description urllib3 is a Python HTTP client library. Its streaming API is designed for efficient handling of large HTTP responses by reading content in chunks. The library decompresses content based on the HTTP Content-Encoding header, such as gzip, deflate, br, or zstd. When using the streaming API with HTTP redirects and preload content set to False, versions prior to 2.6.3 would unnecessarily read and decompress the entire response body, even before any read methods were called. Configured read limits did not restrict the amount of decompressed data, creating a risk of decompression bombs. A malicious server could exploit this to cause excessive resource consumption on the client. Applications and libraries are affected when streaming content from untrusted sources without disabling redirects.

Recommendations Upgrade to urllib3 version 2.6.3 or later. If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted sources.