fix(deps): pin urllib3 to 2.7.0 for CVE-2026-9375#4193
Open
Jan-Kazlouski-elastic wants to merge 1 commit into
Open
fix(deps): pin urllib3 to 2.7.0 for CVE-2026-9375#4193Jan-Kazlouski-elastic wants to merge 1 commit into
Jan-Kazlouski-elastic wants to merge 1 commit into
Conversation
urllib3 <2.7.0 (shipped transitively via requests) can bypass the streaming decompression-bomb safeguards (drain_conn after a partial read, and a second Brotli read/stream), enabling a malicious HTTP server to trigger an OOM DoS. Pin urllib3 directly to the fixed 2.7.0 release; no parent dependency forces a fixed version. Closes elastic/security#12535 Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes https://github.com/elastic/security/issues/12535
Pins
urllib3to the fixed2.7.0release to address CVE-2026-9375 (High, CWE-400), a decompression-bomb bypass in urllib3's streaming API.Assessment: Affected
urllib3ships transitively (viarequests==2.32.4, and alsobotocore/elastic-transport). None of these parents floorurllib3at>=2.7.0— current and latest releases all declare a broadurllib3<3range with a low lower bound — so the resolver could (and in the customer SBOM for 9.4.0/9.4.2 did) select the vulnerable2.6.3. A direct pin is the only deterministic remedy.The 2.7.0 fix closes two streaming decompression-bomb bypass paths. The Brotli-specific path is not reachable (Brotli is not an installed dependency), but the
HTTPResponse.drain_conn()-after-partial-read path is not Brotli-specific and is exercised byrequests' normal connection reuse on standard gzip/deflate responses. A malicious or compromised configured source could therefore trigger an out-of-memory denial of service. Impact is availability-only (CVSS 3.0 7.5,AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H); no confidentiality/integrity impact. Practical exposure is reduced because connectors only talks to operator-configured sources, not a public multi-tenant endpoint.Note: no
urllib32.6.4 exists on PyPI (versions jump 2.6.3 → 2.7.0); NVD confirms "affected < 2.7.0", so 2.7.0 is the fixed release.Scanner A/B (
CVE-2026-9375)The scanners track the duplicate OSV/GitHub record for the same decompression-bomb fix (
CVE-2026-44432/PYSEC-2026-142/GHSA-mf9v-mfxr-j63j) rather than the literalCVE-2026-9375; both are fixed in 2.7.0.(Snyk's DB does not carry this urllib3 advisory, so it neither reported before nor after — inconclusive.)
Checklists
Pre-Review Checklist
make clean install autoformat lint test PYTHON=python3.11, all tests pass)Changes Requiring Extra Attention
Release Note
Bump urllib3 to 2.7.0 to address CVE-2026-9375.
Made with Cursor