Skip to main content

httplib2 EUVDEUVD-2026-42364

| CVE-2026-59939 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-delivered via a malicious server response with no auth or interaction on the client, availability-only memory-exhaustion impact, so A:H with C:N/I:N; scope unchanged as only the client process is affected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Generated
Jul 08, 2026 - 20:25 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5,110 pypi packages depend on httplib2 (324 direct, 4,806 indirect)

Ecosystem-wide dependent count for version 0.32.0.

DescriptionCVE.org

httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

AnalysisAI

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Induce client to fetch attacker-controlled URL
Delivery
Server returns tiny gzip/deflate body
Exploit
httplib2 _decompressContent inflates unbounded
Execution
Client memory exhausted
Impact
MemoryError or OOM-kill of process

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim application uses httplib2 (< 0.32.0) to make an HTTP(S) request to a server the attacker controls, has compromised, or can machine-in-the-middle, AND that httplib2 processes a response carrying Content-Encoding: gzip or deflate - which httplib2 decompresses automatically, so no special client configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (base 7.5, HIGH) is internally consistent for a pure availability impact: network attack vector, low complexity, no privileges or user interaction, and no confidentiality or integrity impact (C:N/I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses httplib2 to retrieve a URL that an attacker can control or influence (for example a webhook target, a user-supplied avatar/URL fetcher, an OAuth token or metadata endpoint, or via a machine-in-the-middle position). The attacker's server responds with a tiny Content-Encoding: gzip body - a few kilobytes that decompresses to many gigabytes - and httplib2 inflates it fully into memory, driving the worker into MemoryError or an OS OOM-kill. …
Remediation Upgrade httplib2 to Vendor-released patch: 0.32.0 (https://github.com/httplib2/httplib2/releases/tag/v0.32.0), which bounds decompression of gzip/deflate response bodies; pin the dependency and rebuild any lockfiles / transitive requirements since httplib2 is frequently pulled in indirectly (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit codebase for httplib2 usage and identify affected applications, particularly those processing data from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-42364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy