urllib3 Decompression Vulnerability in Streaming API Allows Resource Exhaustion

A vulnerability in urllib3, a Python HTTP client library, exists in versions 2.6.0 prior to 2.7.0. The issue arises in the streaming API, which is intended for efficient handling of large HTTP responses by reading content in chunks. In the affected versions, urllib3 could improperly decompress entire responses instead of just the requested portions, leading to excessive resource consumption. This issue could be triggered during the second HTTPResponse.read(amt=N) call with Brotli-compressed responses or after partially reading a response using HTTPResponse.drain_conn(). The vulnerability could cause high CPU usage and significant memory allocation for the decompressed data on the client side.

Impact

Exploitation of this vulnerability could result in high CPU usage and massive memory allocation for decompressed data, causing excessive resource consumption on the client side.

Reproduction

To reproduce this vulnerability, use urllib3 version 2.6.0 prior to 2.7.0 and stream a Brotli-compressed response from an untrusted source. During the second HTTPResponse.read(amt=N) call, the library will decompress the entire response instead of just the requested portion. Alternatively, call HTTPResponse.drain_conn() after partially reading and decompressing a response, which will also trigger the vulnerability regardless of the compression algorithm.

Remediation

Upgrade to urllib3 version 2.7.0 or later, where the vulnerability is fixed. If an immediate upgrade is not possible, switch from the official Brotli package to brotlicffi for the Brotli-specific issue, and if your code calls HTTPResponse.drain_conn(), replace it with HTTPResponse.close() when connection reuse is not important.