Decompression Bomb Bypass in urllib3 Affects Streaming API with Brotli Support
CVE-2026-9375

7.5HIGH

Key Information:

Vendor: Urllib3
Status: Urllib3/urllib3
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-9375?

A vulnerability in urllib3 version 2.6.3 exists that allows a decompression bomb bypass within its streaming API when Brotli support is enabled. The issue is a result of three distinct code paths in response.py that circumvent the max_length protection established in version 2.6.0 to address previous vulnerabilities. Negative max_length values can be generated through buffer arithmetic during the read operation, while flush_decoder unconditionally overrides max_length to -1. Furthermore, the _flush_decoder() function does not enforce any limits, effectively allowing unlimited decompression. This vulnerability may be exploited by a malicious HTTP server to induce an out-of-memory (OOM) condition, potentially causing a denial of service (DoS) in applications utilizing urllib3 or requests to stream data from unverified sources.

Affected Version(s)

urllib3/urllib3 < 2.7.0

References

https://huntr.com/bounties/ddd09eb9-b87d-4a43-84df-48837b...

https://github.com/urllib3/urllib3/commit/2bdcc44d1e163fb...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 23, 2026

CVE-2026-9375 Data

JSON

Urllib3

What is CVE-2026-9375?

Affected Version(s)

References

CVSS V3.0

Timeline