Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/49609?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49609?format=api", "vulnerability_id": "VCID-s4ya-j25m-17fs", "summary": "Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nurllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.\n\nHowever, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).", "aliases": [ { "alias": "CVE-2026-21441" }, { "alias": "GHSA-38jv-5279-wg99" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50436?format=api", "purl": "pkg:pypi/urllib3@2.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3wae-93ac-7qgn" }, { "vulnerability": "VCID-ueb4-ur9q-u3e1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.6.3" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/12603?format=api", "purl": "pkg:pypi/urllib3@1.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-21kr-1hbf-rfag" }, { "vulnerability": "VCID-4t6u-aq7n-cbce" }, { "vulnerability": "VCID-83up-c218-e7f3" }, { "vulnerability": "VCID-ah3u-nfq4-dfg6" }, { "vulnerability": "VCID-kesm-g3nv-6fbc" }, { "vulnerability": "VCID-p42y-ygek-p3eb" }, { "vulnerability": "VCID-s4ya-j25m-17fs" }, { "vulnerability": "VCID-us3z-hehr-uuca" }, { "vulnerability": "VCID-ymx9-acnn-dbcy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@1.22" } ], "references": [ { "reference_url": "https://github.com/urllib3/urllib3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441", "reference_id": "CVE-2026-21441", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441" }, { "reference_url": "https://github.com/advisories/GHSA-38jv-5279-wg99", "reference_id": "GHSA-38jv-5279-wg99", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-38jv-5279-wg99" }, { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99", "reference_id": "GHSA-38jv-5279-wg99", "reference_type": "", "scores": [], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99" } ], "weaknesses": [ { "cwe_id": 409, "name": "Improper Handling of Highly Compressed Data (Data Amplification)", "description": "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4ya-j25m-17fs" }