CVE-2026-44432

Name of the Vulnerable Software and Affected Versions urllib3 versions 2.6.0 through 2.6.x

Description An issue exists in the streaming API where the library may decompress an entire HTTP response instead of the requested portion. This occurs in two scenarios: during the second HTTPResponse.read(amt=N) call when using the official Brotli library for decompression, or when HTTPResponse.drain conn() is called after a response has been partially read and decompressed. This behavior can lead to excessive resource consumption on the client side, specifically high CPU usage and massive memory allocation, when processing small amounts of highly compressed data.

Recommendations Update to version 2.7.0. As a temporary workaround for the Brotli-specific issue, switch from the brotli library to brotlicffi. As a temporary workaround, call HTTPResponse.close() instead of HTTPResponse.drain conn() when connection reuse is not required.