httplib2 is vulnerable to Uncontrolled Resource Consumption
35
Low Risk
The httplib2 HTTP client automatically decompresses response bodies that carry a gzip or deflate Content-Encoding header. Before the fix it decompressed the entire body into memory with no size or amplification limit, so a small compressed response could expand into a very large output. A malicious or compromised server can exploit this with a decompression bomb to exhaust client memory and cause denial of service. The fix wraps decoding in a limiter that enforces a hard output limit, a safe-size threshold, and an output-to-input ratio, raising an error when they are exceeded.
You are affected if you are using a version that falls within the vulnerable range and your client fetches gzip- or deflate-encoded responses from untrusted servers.
httplib2 is vulnerable to Uncontrolled Resource Consumption in versions 0.7.0 - 0.31.2.
Upgrade the httplib2 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant