urllib3 Decompression Bomb Vulnerability in Streaming API Redirect Handling

A high-severity vulnerability exists in urllib3 versions 1.22 prior to 2.6.3, allowing a malicious server to exploit the library's streaming API. The vulnerability arises because, during HTTP redirects, urllib3 unnecessarily reads and decompresses entire response bodies before any data is explicitly requested. This behavior bypasses safeguards against decompression bombs, leading to excessive CPU usage and large memory allocations for decompressed data. Applications that stream content from untrusted sources using 'preload_content=False' without disabling redirects are particularly vulnerable.

Impact

Exploitation of this vulnerability causes high CPU usage and significant memory consumption due to the handling of decompressed data, creating a denial-of-service condition on the client.

Reproduction

The vulnerability can be reproduced by sending an HTTP response with a 'Content-Encoding' header that indicates compression (such as 'gzip') and a 'Location' header that points to another URL, effectively creating a redirect. The initial response should be handled by urllib3 with 'preload_content' set to 'False' and redirects enabled. When the redirect is followed, urllib3 will read and decompress the entire response body, bypassing the decompression-bomb safeguards and allowing a malicious server to cause excessive resource consumption on the client.

Remediation

Users should upgrade to urllib3 version 2.6.3 or later, where the library no longer decodes content of redirect responses when 'preload_content' is set to 'False'. If an immediate upgrade is not possible, redirects can be disabled by setting 'redirect=False' for requests to untrusted sources.