CVE-2026-9375
Received Received - Intake
urllib3 2.6.3 Decompression Bomb Bypass via Brotli

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: huntr.dev

Description
urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-9375
EUVD
EUVD-2026-38064
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
urllib3 urllib3 2.6.3
brotli brotli 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9375 is a vulnerability in urllib3 version 2.6.3 related to its streaming API when using Brotli compression. The issue occurs because multiple code paths bypass the maximum decompression length protections, allowing a malicious server to send specially crafted compressed data that decompresses into very large payloads in memory.

Specifically, negative max_length values can arise due to buffer arithmetic in the read() method, the flush_decoder method forcibly sets max_length to -1, and the _flush_decoder() method does not limit decompression at all. This results in an attacker being able to trigger an out-of-memory condition by decompressing large amounts of data, causing a denial of service.

The vulnerability affects applications and libraries that use urllib3 or requests to stream content from untrusted sources with Brotli compression enabled.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by causing the affected application to consume excessive memory when decompressing maliciously crafted Brotli-compressed data.

An attacker controlling an HTTP server can exploit this by sending large compressed payloads that bypass decompression limits, causing the client application to run out of memory and potentially crash or become unresponsive.

This impacts the availability of services relying on urllib3 or requests for streaming content, especially when handling data from untrusted or external sources.

Detection Guidance

Detection of this vulnerability involves monitoring for abnormal memory usage or out-of-memory (OOM) conditions when streaming HTTP responses using urllib3 with Brotli decompression enabled.

Specifically, detection can focus on identifying applications using urllib3 version 2.6.3 with Brotli 1.2.0 that stream content with the streaming API (`preload_content=False`).

While no explicit commands are provided in the resources, general approaches include:

  • Checking the version of urllib3 and Brotli installed, for example using Python commands:
  • ```python import urllib3 import brotli print(urllib3.__version__) print(brotli.__version__) ```
  • Monitoring application logs and system metrics for high memory consumption or crashes during HTTP streaming operations.
  • Using network monitoring tools to detect unusually large decompressed payloads from untrusted HTTP servers.
Mitigation Strategies

Immediate mitigation steps include upgrading urllib3 to a version that contains the fix for CVE-2026-9375.

The fix involves changes to the `drain_conn` and `read` methods to properly enforce decompression safeguards and prevent memory exhaustion.

If upgrading is not immediately possible, consider disabling Brotli decompression or avoiding streaming responses with `preload_content=False` when using vulnerable versions.

Additionally, monitor and limit memory usage for applications that handle untrusted HTTP content to reduce the risk of denial-of-service.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart