Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/50436?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/50436?format=api", "purl": "pkg:pypi/urllib3@2.6.3", "type": "pypi", "namespace": "", "name": "urllib3", "version": "2.6.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.7.0", "latest_non_vulnerable_version": "2.7.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37337?format=api", "vulnerability_id": "VCID-3wae-93ac-7qgn", "summary": "urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.", "references": [ { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50437?format=api", "purl": "pkg:pypi/urllib3@2.7.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.7.0" } ], "aliases": [ "CVE-2026-44432", "GHSA-mf9v-mfxr-j63j", "PYSEC-2026-142" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3wae-93ac-7qgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37336?format=api", "vulnerability_id": "VCID-ueb4-ur9q-u3e1", "summary": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "references": [ { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50437?format=api", "purl": "pkg:pypi/urllib3@2.7.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.7.0" } ], "aliases": [ "CVE-2026-44431", "GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ueb4-ur9q-u3e1" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49609?format=api", "vulnerability_id": "VCID-s4ya-j25m-17fs", "summary": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nurllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.\n\nHowever, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).", "references": [ { "reference_url": "https://github.com/urllib3/urllib3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441", "reference_id": "CVE-2026-21441", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441" }, { "reference_url": "https://github.com/advisories/GHSA-38jv-5279-wg99", "reference_id": "GHSA-38jv-5279-wg99", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-38jv-5279-wg99" }, { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", "reference_id": "GHSA-38jv-5279-wg99", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50436?format=api", "purl": "pkg:pypi/urllib3@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wae-93ac-7qgn" }, { "vulnerability": "VCID-ueb4-ur9q-u3e1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.6.3" } ], "aliases": [ "CVE-2026-21441", "GHSA-38jv-5279-wg99" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4ya-j25m-17fs" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.6.3" }