urllib3 Unbounded Decompression Chain Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in urllib3, a popular HTTP client library for Python. This issue affects versions 1.24 through 2.5.0. The vulnerability arises from an unbounded number of links in the decompression chain, allowing a malicious server to introduce a virtually unlimited number of compression steps. This could lead to excessive CPU usage and significant memory allocation for the decompressed data. The vulnerability is present in applications and libraries that use urllib3 for HTTP requests to untrusted sources, unless content decoding is explicitly disabled.

Impact

Exploitation of this vulnerability can cause high CPU usage and massive memory allocation, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an HTTP response from a malicious server that includes an excessive number of links in the 'Content-Encoding' header. This can be done by chaining multiple encoding algorithms, such as gzip and deflate, beyond the safe limit, which will trigger the denial-of-service condition by exhausting system resources during the decoding process.

Remediation

Users are advised to upgrade to urllib3 version 2.6.0 or later, where this vulnerability has been addressed by limiting the number of allowed chained encodings to five. If an immediate upgrade is not possible, content can be streamed without preloading by setting 'preload_content=False' and checking that the 'content-encoding' header does not contain too many encodings before reading the response.