Decompression Vulnerability in urllib3 Affects Python HTTP Clients
CVE-2026-21441

8.9HIGH

Key Information:

Vendor: Urllib3
Status: Urllib3
Vendor: CVE Published:; 7 January 2026

What is CVE-2026-21441?

urllib3, an HTTP client library for Python, has a vulnerability that affects its streaming API. This API processes large HTTP responses efficiently by reading them in chunks. However, in versions 1.22 to 2.6.2, for HTTP redirect responses, urllib3 unnecessarily reads and decompresses the entire response body before any read operations. This behavior can be exploited by a malicious server through crafted redirect responses, leading to excessive resource consumption on the client due to decompression bombs. To mitigate the risk, users should upgrade to urllib3 version 2.6.3 or later, which prevents decoding of redirect response content when configured with preload_content=False. Alternatively, clients can disable redirects when working with untrusted sources by setting redirect=False.

Affected Version(s)

urllib3 >= 1.22, < 2.6.3

References

https://github.com/urllib3/urllib3/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/urllib3/urllib3/commit/8864ac407bba860...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2026-21441 Data

JSON

Urllib3

What is CVE-2026-21441?

Affected Version(s)

References

CVSS V4

Timeline