Skip to content

fix(deps): pin urllib3 to 2.7.0 for CVE-2026-9375#4193

Open
Jan-Kazlouski-elastic wants to merge 1 commit into
mainfrom
jan-kazlouski/12535-cve-2026-9375-fix
Open

fix(deps): pin urllib3 to 2.7.0 for CVE-2026-9375#4193
Jan-Kazlouski-elastic wants to merge 1 commit into
mainfrom
jan-kazlouski/12535-cve-2026-9375-fix

Conversation

@Jan-Kazlouski-elastic

Copy link
Copy Markdown
Contributor

Closes https://github.com/elastic/security/issues/12535

Pins urllib3 to the fixed 2.7.0 release to address CVE-2026-9375 (High, CWE-400), a decompression-bomb bypass in urllib3's streaming API.

Assessment: Affected

urllib3 ships transitively (via requests==2.32.4, and also botocore / elastic-transport). None of these parents floor urllib3 at >=2.7.0 — current and latest releases all declare a broad urllib3<3 range with a low lower bound — so the resolver could (and in the customer SBOM for 9.4.0/9.4.2 did) select the vulnerable 2.6.3. A direct pin is the only deterministic remedy.

The 2.7.0 fix closes two streaming decompression-bomb bypass paths. The Brotli-specific path is not reachable (Brotli is not an installed dependency), but the HTTPResponse.drain_conn()-after-partial-read path is not Brotli-specific and is exercised by requests' normal connection reuse on standard gzip/deflate responses. A malicious or compromised configured source could therefore trigger an out-of-memory denial of service. Impact is availability-only (CVSS 3.0 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H); no confidentiality/integrity impact. Practical exposure is reduced because connectors only talks to operator-configured sources, not a public multi-tenant endpoint.

Note: no urllib3 2.6.4 exists on PyPI (versions jump 2.6.3 → 2.7.0); NVD confirms "affected < 2.7.0", so 2.7.0 is the fixed release.

Scanner A/B (CVE-2026-9375)

The scanners track the duplicate OSV/GitHub record for the same decompression-bomb fix (CVE-2026-44432 / PYSEC-2026-142 / GHSA-mf9v-mfxr-j63j) rather than the literal CVE-2026-9375; both are fixed in 2.7.0.

Tool Before After
pip-audit reported clear
Trivy reported clear
Snyk n/a n/a

(Snyk's DB does not carry this urllib3 advisory, so it neither reported before nor after — inconclusive.)

Checklists

Pre-Review Checklist

  • this PR does NOT contain credentials of any kind
  • this PR has a meaningful title
  • this PR links to all relevant github issues that it fixes or partially addresses
  • this PR has a thorough description
  • Tested the changes locally (make clean install autoformat lint test PYTHON=python3.11, all tests pass)
  • Added a label for each target release version

Changes Requiring Extra Attention

  • Security-related changes (encryption, TLS, SSRF, etc)

Release Note

Bump urllib3 to 2.7.0 to address CVE-2026-9375.

Made with Cursor

urllib3 <2.7.0 (shipped transitively via requests) can bypass the streaming
decompression-bomb safeguards (drain_conn after a partial read, and a second
Brotli read/stream), enabling a malicious HTTP server to trigger an OOM DoS.
Pin urllib3 directly to the fixed 2.7.0 release; no parent dependency forces
a fixed version.

Closes elastic/security#12535

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant