Update dependency urllib3 to v2.7.0 [SECURITY]#267
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
requested review from
ValentaTomas,
jakubno and
mishushakov
as code owners
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.
Once the cap resets or is raised, reopen this pull request to trigger a review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.6.3→==2.7.0urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
CVE-2026-44432 / GHSA-mf9v-mfxr-j63j
More information
Details
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
urllib3 can perform decompression based on the HTTP
Content-Encodingheader (e.g.,gzip,deflate,br, orzstd). When using the streaming API since version 2.6.0, the library decompresses only the necessary bytes, enabling partial content consumption.However, urllib3 before version 2.7.0 could still decompress the whole response instead of the requested portion in two cases:
HTTPResponse.read(amt=N)call when the response was decompressed using the official Brotli library.HTTPResponse.drain_conn()was called after the response had been read and decompressed partially (compression algorithm did not matter here).These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side.
Affected usages
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected when streaming compressed responses from untrusted sources in either of these cases, unless decompression is explicitly disabled:
bris read incrementally with at least twoHTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)calls while using the official Brotli library.HTTPResponse.drain_conn()is called after response decompression has already started.Remediation
Upgrade to at least urllib3 version 2.7.0 in which the library:
HTTPResponse.drain_conn().If upgrading is not immediately possible, the following workarounds may reduce exposure in specific cases:
HTTPResponse.drain_conn(), callHTTPResponse.close()instead when connection reuse is not important.Credits
The Brotli-specific issue was reported by @kimkou2024.
HTTPResponse.drain_conn()inefficiency was reported by @Cycloctane.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
CVE-2026-44431 / GHSA-qccp-gfcp-xxvc
More information
Details
Impact
When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as
urllib3.request(),PoolManager.request(), andProxyManager.request(), sensitive headers —Authorization,Cookie, andProxy-Authorization(defined inRetry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) — are stripped by default, as expected.However, cross-origin redirects followed from the low-level API via
ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)still forward these sensitive headers.Affected usage
Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through
HTTPConnection.urlopen()instances created viaProxyManager.connection_from_url().Remediation
Upgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by
HTTPConnection.If upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to
ProxyManager.request().Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
urllib3/urllib3 (urllib3)
v2.7.0Compare Source
=======================
Security
Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.
Decompression-bomb safeguards of the streaming API were bypassed:
HTTPResponse.drain_conn()was called after the response had beenread and decompressed partially.
HTTPResponse.read(amt=N)orHTTPResponse.stream(amt=N)call when the response was decompressedusing the official
Brotli <https://pypi.org/project/brotli/>__ library.See
GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__for details.
HTTP pools created using
ProxyManager.connection_from_urldid not stripsensitive headers specified in
Retry.remove_headers_on_redirectwhenredirecting to a different host.
(
GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)Deprecations and Removals
FutureWarninginstead ofDeprecationWarningfor bettervisibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(
#​3763 <https://github.com/urllib3/urllib3/issues/3763>__)(
#​3720 <https://github.com/urllib3/urllib3/issues/3720>__)(
#​4979 <https://github.com/urllib3/urllib3/issues/4979>__)(
#​3777 <https://github.com/urllib3/urllib3/issues/3777>__)Bugfixes
HTTPResponse.read(amt=None)was ignoring decompresseddata buffered from previous partial reads.
(
#​3636 <https://github.com/urllib3/urllib3/issues/3636>__)HTTPResponse.read()could cache only part of theresponse after a partial read when
cache_content=True.(
#​4967 <https://github.com/urllib3/urllib3/issues/4967>__)HTTPResponse.stream()andHTTPResponse.read_chunked()to handleamt=0.(
#​3793 <https://github.com/urllib3/urllib3/issues/3793>__)_TYPE_BODYtype alias to include missingIterable[str],matching the documented and runtime behavior of chunked request bodies.
(
#​3798 <https://github.com/urllib3/urllib3/issues/3798>__)LocationParseErrorwhen paths resembling schemeless URIs werepassed to
HTTPConnectionPool.urlopen().(
#​3352 <https://github.com/urllib3/urllib3/issues/3352>__)BaseHTTPResponse.readinto()type annotation to acceptmemoryviewin addition tobytearray, matching theio.RawIOBase.readintocontract and enabling use withio.BufferedReaderwithout type errors.(
#​3764 <https://github.com/urllib3/urllib3/issues/3764>__)Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.