CVE-2026-31015

🚨 High - urllib3 Sensitive Header Leak & Decompression Bomb Safeguard Bypass (CVE-2026-31015 & CVE-2026-31020)

Two critical vulnerabilities were identified in the urllib3 library (Node.js/Python). The first flaw (GHSA-qccp-gfcp-xxvc) allows sensitive headers like Authorization and Cookie to be leaked during cross-origin redirects when using ProxyManager. The second flaw (GHSA-mf9v-mfxr-j63j) allows attackers to bypass decompression-bomb safeguards, potentially leading to a Denial of Service (DoS) or memory exhaustion when processing malicious Brotli-compressed responses.

👉 Affected: urllib3 < 2.7.0 | Upgrade to 2.7.0