Skip to main content

urllib3 EUVDEUVD-2026-38064

| CVE-2026-9375 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-19 @huntr_ai GHSA-mwq6-fg78-p6cq
7.5
CVSS 3.0 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Victim client only needs to fetch attacker-controlled URL with streaming + Brotli enabled (AV:N, AC:L, PR:N, UI:N); impact is memory exhaustion DoS, no C/I loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 19:30 vuln.today
Analysis Generated
Jun 19, 2026 - 19:30 vuln.today

DescriptionCVE.org

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (preload_content=False) when using Brotli support. The issue arises due to three independent code paths in response.py that bypass the max_length protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative max_length values can be produced due to buffer arithmetic in read(), flush_decoder unconditionally overrides max_length to -1, and _flush_decoder() passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using requests or urllib3 to stream content from untrusted sources.

AnalysisAI

Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker stands up malicious HTTPS endpoint
Delivery
Victim client streams response with preload_content=False
Exploit
Server returns Brotli-encoded compression bomb
Execution
Second read() or drain_conn() bypasses max_length
Persist
Decoder expands payload into unbounded memory
Impact
Worker process OOM-killed, service denial

Vulnerability AssessmentAI

Exploitation Victim application must use urllib3 2.6.3 with the optional Brotli 1.2.0 package installed, must open the response in streaming mode (preload_content=False, equivalent to requests stream=True), and must fetch a URL controlled by or proxied through the attacker so the server can return Content-Encoding: br with a crafted compression-bomb payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.0 vector AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H accurately reflects a network-reachable, unauthenticated, high-availability-impact DoS - a 7.5 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web service that returns a small Brotli-compressed payload that decompresses to many gigabytes and lures the victim application - a webhook receiver, link-preview generator, or SSRF-reachable scraper - into fetching the URL via requests.get(..., stream=True). On the second iter_content() chunk or when the connection is drained, urllib3's decoder fully expands the payload into memory, exhausting RAM and crashing the worker. …
Remediation Upstream fix available (commit 2bdcc44d1e163fb5cc48a8662425e35e15adfe6a); released patched version not independently confirmed from the provided data, so upgrade to the next urllib3 release above 2.6.3 carrying GHSA-mf9v-mfxr-j63j once published, and rebuild any pinned requests/urllib3 dependencies accordingly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit production systems for Python applications using urllib3 or requests with streaming enabled (preload_content=False). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-38064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy