Urllib3 Urllib3
Monthly
Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.
Denial-of-service in urllib3 2.6.3 allows a malicious HTTP server to exhaust client memory via a Brotli decompression bomb that bypasses the streaming API's max_length safeguard added in 2.6.0 (CVE-2025-66471). Any Python application using urllib3 or requests with preload_content=False to stream Brotli-encoded responses from untrusted origins is exposed. No public exploit identified at time of analysis, though an upstream commit and GHSA-mf9v-mfxr-j63j confirm the regression.