CVE-2026-21441 (CNNVD-202601-1138)

HIGH
中文标题:
urllib3 安全漏洞
英文标题:
urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)
CVSS分数: 8.9
发布时间: 2026-01-07 22:09:01
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v4
漏洞描述
中文描述:

urllib3是urllib3开源的一款Python HTTP库。该产品具有线程安全连接池、文件发布支持等。 urllib3 2.6.3之前版本存在安全漏洞,该漏洞源于处理HTTP重定向响应时未限制解压缩数据量,可能导致资源消耗过多。

英文描述:

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

CWE类型:
CWE-409
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
urllib3 urllib3 >= 1.22, < 2.6.3 - - cpe:2.3:a:urllib3:urllib3:>=_1.22,_<_2.6.3:*:*:*:*:*:*:*
python urllib3 * - - cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99 x_refsource_CONFIRM
cve.org
访问
https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b x_refsource_MISC
cve.org
访问
CVSS评分详情
4.0 (cna)
HIGH
8.9
CVSS向量: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
机密性
NONE
完整性
NONE
可用性
HIGH
后续系统影响 (Subsequent):
机密性
NONE
完整性
NONE
可用性
HIGH
时间信息
发布时间:
2026-01-07 22:09:01
修改时间:
2026-01-08 20:08:22
创建时间:
2026-01-12 02:12:36
更新时间:
2026-01-16 02:48:19
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-21441 2026-01-09 02:02:07 2026-01-12 02:12:36
NVD nvd_CVE-2026-21441 2026-01-09 03:00:09 2026-01-12 02:28:16
CNNVD cnnvd_CNNVD-202601-1138 2026-01-11 06:15:08 2026-01-12 02:38:12
版本与语言
当前版本: v4
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v4 NVD
2026-01-16 02:48:09
affected_products_count: 1 → 2
查看详细变更
  • affected_products_count: 1 -> 2
v3 CNNVD
2026-01-12 02:38:12
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-202601-1138; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • cnnvd_id: 未提取 -> CNNVD-202601-1138
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2026-01-12 02:28:16
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']