{"id":"PYSEC-2026-142","details":"urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.","aliases":["CVE-2026-44432","GHSA-mf9v-mfxr-j63j"],"modified":"2026-05-20T09:19:21.038869Z","published":"2026-05-13T16:16:57.303Z","references":[{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.0"},{"fixed":"2.7.0"}]}],"versions":["2.6.0","2.6.1","2.6.2","2.6.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-142.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}