AIKIDO-2026-10809
urllib3-future is vulnerable to Decompression Bomb
89
High Risk
This Affects:
urllib3-futureTL;DR
Affected versions of urllib3-future may fully decompress specially crafted compressed HTTP responses during streaming operations, leading to excessive CPU and memory consumption on the client side and potentially causing denial of service conditions.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
urllib3-future is vulnerable to Decompression Bomb in versions 2.15.900 - 2.19.913.
How to fix this
Upgrade the urllib3-future library to the patch version. If upgrading is not possible, use brotlicffi instead of the official Brotli library and replace HTTPResponse.drain_conn() calls with HTTPResponse.close() where connection reuse is not required.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant