Intel

AIKIDO-2026-721881

httplib2 is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

35

Low Risk

This Affects:

PYTHONhttplib2
0.7.0 - 0.31.2
Fixed in 0.32.0
Are you affected? Scan for Free

TL;DR

The httplib2 HTTP client automatically decompresses response bodies that carry a gzip or deflate Content-Encoding header. Before the fix it decompressed the entire body into memory with no size or amplification limit, so a small compressed response could expand into a very large output. A malicious or compromised server can exploit this with a decompression bomb to exhaust client memory and cause denial of service. The fix wraps decoding in a limiter that enforces a hard output limit, a safe-size threshold, and an output-to-input ratio, raising an error when they are exceeded.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your client fetches gzip- or deflate-encoded responses from untrusted servers.

Background info

httplib2 is vulnerable to Uncontrolled Resource Consumption in versions 0.7.0 - 0.31.2.

How to fix this

Upgrade the httplib2 library to the patch version.