CVE-2026-59939
Received Received - Intake

Memory Exhaustion in httplib2 via Gzip Deflate

Vulnerability report for CVE-2026-59939, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
httplib2 httplib2 to 0.32.0 (exc)
httplib2 httplib2 0.32.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in httplib2 allows a malicious server to cause a denial-of-service (DoS) by triggering unbounded decompression, leading to memory exhaustion in the client process.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial-of-service vulnerabilities can indirectly impact compliance by causing service outages or disruptions.

Such outages may affect the availability requirement of these regulations, but there is no direct information linking this vulnerability to data confidentiality or integrity breaches relevant to GDPR or HIPAA.

Executive Summary

The vulnerability exists in the httplib2 Python HTTP client library prior to version 0.32.0. It involves unbounded decompression of HTTP response bodies encoded with gzip or deflate. Specifically, the _decompressContent function decompresses the entire payload without any size limits, allowing a malicious or compromised HTTP server to send a small compressed payload that expands to an arbitrarily large size in memory.

This unbounded decompression can cause the client process to run out of memory, resulting in a MemoryError or the process being killed by the operating system (OOM-kill). The vulnerability can be triggered automatically when the client receives responses with Content-Encoding: gzip or deflate headers.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition on any application using httplib2 versions 0.31.2 or earlier when making HTTP requests to untrusted or attacker-controlled servers.

An attacker can send a small compressed payload that decompresses to a very large size (with an amplification ratio up to 1,029 times), causing excessive memory consumption. This can crash the client application by triggering MemoryError exceptions or cause the operating system to terminate the process due to out-of-memory conditions.

The attack requires no authentication, user interaction, or special configuration, making it easy to exploit remotely.

Detection Guidance

This vulnerability occurs when httplib2 versions 0.31.2 and earlier decompress HTTP response bodies encoded with gzip or deflate without limits, potentially causing MemoryError or OOM kills.

To detect if your system is vulnerable, first identify if your environment uses httplib2 versions prior to 0.32.0.

  • Check the installed httplib2 version with the command: python -c "import httplib2; print(httplib2.__version__)"
  • Monitor your application logs or system logs for MemoryError exceptions or out-of-memory kills related to processes using httplib2.
  • Use network monitoring tools to inspect HTTP responses with Content-Encoding headers set to gzip or deflate from untrusted or suspicious servers.
  • If possible, capture and analyze HTTP traffic using tools like tcpdump or Wireshark to identify unusually small compressed payloads that decompress to very large sizes.
Mitigation Strategies

The primary and most effective mitigation is to upgrade httplib2 to version 0.32.0 or later, which includes decompression limits to prevent resource exhaustion.

If upgrading immediately is not possible, consider implementing application-level controls to limit or monitor the size of decompressed HTTP response bodies.

Configure decompression limits if using the patched version, such as setting hard limits, safe limits, and ratio limits on decompressed data size, as introduced in the update.

Avoid making HTTP requests to untrusted or attacker-controlled servers that could exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart