Title: Update dependency urllib3 to v2.6.3 [SECURITY] by renovate[bot] · Pull Request #39 · protoconf/client-python · GitHub
Open Graph Title: Update dependency urllib3 to v2.6.3 [SECURITY] by renovate[bot] · Pull Request #39 · protoconf/client-python
X Title: Update dependency urllib3 to v2.6.3 [SECURITY] by renovate[bot] · Pull Request #39 · protoconf/client-python
Description: This PR contains the following updates:
Package
Change
Age
Confidence
urllib3 (changelog)
==2.2.2 → ==2.6.3
GitHub Vulnerability Alerts
CVE-2025-50181
urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:
resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)
# 302
However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:
import urllib3
http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above
http = urllib3.PoolManager(retries=False) # should return the first response
resp = http.request("GET", "https://httpbin.org/redirect/1")
However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.
Affected usages
Passing retries on PoolManager instantiation to disable redirects or restrict their number.
By default, requests and botocore users are not affected.
Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.
Remediation
You can remediate this vulnerability with the following steps:
Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact sethmichaellarson@gmail.com to discuss sponsorship or contribution opportunities.
Disable redirects at the request() level instead of the PoolManager() level.
CVE-2025-50182
urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.
However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.
Affected usages
Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.
Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.
Remediation
If you use urllib3 in Node.js, upgrade to a patched version of urllib3.
Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.
CVE-2025-66418
Impact
urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).
However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.
Affected usages
Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.
Remediation
Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.
If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.
CVE-2025-66471
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.
The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.
Affected usages
Applications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.
stream(), read(amt=256), read1(amt=256), read_chunked(amt=256), readinto(b) are examples of urllib3.HTTPResponse method calls using the affected logic unless decoding is disabled explicitly.
Remediation
Upgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.
If your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the urllib3[brotli] extra in the patched versions of urllib3.
Credits
The issue was reported by @Cycloctane.
Supplemental information was provided by @stamparm during a security audit performed by 7ASecurity and facilitated by OSTIF.
CVE-2026-21441
Impact
urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.
However, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).
Affected usages
Applications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting preload_content=False when they do not disable redirects.
Remediation
Upgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when preload_content=False.
If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source.
Release Notes
urllib3/urllib3 (urllib3)
v2.6.3
Compare Source
==================
Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(GHSA-38jv-5279-wg99
Open Graph Description: This PR contains the following updates: Package Change Age Confidence urllib3 (changelog) ==2.2.2 → ==2.6.3 GitHub Vulnerability Alerts CVE-2025-50181 urllib3 handles redirects and retr...
X Description: This PR contains the following updates: Package Change Age Confidence urllib3 (changelog) ==2.2.2 → ==2.6.3 GitHub Vulnerability Alerts CVE-2025-50181 urllib3 handles redirects and retr...
Opengraph URL: https://github.com/protoconf/client-python/pull/39
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:91e3cd53-d243-301b-1ce6-b5ef4fc3bd26 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 9ED6:5A3B5:2041E3C:2B409D6:69807389 |
| html-safe-nonce | d22d666d1de5b72309f0e9232cc939a0484e0eca2ed45985fcac8fddc1e0f199 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5RUQ2OjVBM0I1OjIwNDFFM0M6MkI0MDlENjo2OTgwNzM4OSIsInZpc2l0b3JfaWQiOiI3Mzg4NDUxMDUyMzM4ODQwNDEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | fa4ec012e5a74d91fc8b9adbe835c7bf32a6068ed216fb47fe0ab0335835872f |
| hovercard-subject-tag | pull_request:2603833971 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/protoconf/client-python/pull/39/files |
| twitter:image | https://avatars.githubusercontent.com/in/2740?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/2740?s=400&v=4 |
| og:image:alt | This PR contains the following updates: Package Change Age Confidence urllib3 (changelog) ==2.2.2 → ==2.6.3 GitHub Vulnerability Alerts CVE-2025-50181 urllib3 handles redirects and retr... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 0959b1a93ca48b0c88b3bddbdfd04ca43f388cb1a8293105a28c5ef6e8079db8 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/protoconf/client-python git https://github.com/protoconf/client-python.git |
| octolytics-dimension-user_id | 51154987 |
| octolytics-dimension-user_login | protoconf |
| octolytics-dimension-repository_id | 820059494 |
| octolytics-dimension-repository_nwo | protoconf/client-python |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 820059494 |
| octolytics-dimension-repository_network_root_nwo | protoconf/client-python |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 78307334c66591a8f87f493dd2968126b34961dd |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width