urllib3 Decompression Bomb Vulnerability in Streaming API

A vulnerability exists in urllib3, a popular HTTP client library for Python, in versions 1.0 through 2.5.0. The issue arises in the streaming API, which improperly manages highly compressed data. This can lead to excessive resource consumption, including high CPU usage and significant memory allocation, as the library may fully decompress small amounts of highly compressed data in a single operation. The vulnerability is particularly concerning when streaming large or unknown-length responses from untrusted sources, as it can be exploited to create a 'decompression bomb' effect, where a small amount of compressed data expands into a much larger size, consuming resources and potentially leading to denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause high CPU usage and massive memory allocation for decompressed data, creating a 'decompression bomb' effect that overwhelms system resources.

Reproduction

The vulnerability can be reproduced by using urllib3 versions 1.0 prior to 2.6.0 to stream compressed HTTP responses. This can be done by setting the 'Content-Encoding' header to a compression type such as 'gzip', 'deflate', 'br', or 'zstd'. When the response is streamed, urllib3 may decompress the data all at once, especially if the compression is high, leading to excessive resource use.

Remediation

Users should upgrade to urllib3 version 2.6.0 or later. If Brotli encoding is used, ensure that the Brotli package is updated to version 1.2.0 or later. These updates are included in the 'urllib3[brotli]' extra in the patched versions.