Skip to main content

Urllib3 Urllib3

1 CVEs product

Monthly

CVE-2026-9375 HIGH PATCH This Week

Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.

Denial Of Service Urllib3 Urllib3 Suse
NVD GitHub VulDB
CVSS 3.0
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.

Denial Of Service Urllib3 Urllib3 Suse
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy