[GHSA-qccp-gfcp-xxvc] urllib3: Sensitive headers forwarded across origins in proxied low-level redirects#7876
Conversation
|
Hi there @illia-v! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
frenzymadness/advisory-improvement-7876
|
Why do you change GHSA-qccp-gfcp-xxvc while describing GHSA-mf9v-mfxr-j63j? |
|
I'm sorry for the noise. I'm working on both simultaneously, and I'm not able to reproduce CVE-2026-44432 on urlllib3 1.24.2, and then I saw the introduced-in version, but it belongs to the other vulnerability. Sorry. Closing. |
3 participants
Updates
Comments
I've investigated the issues in older releases of urllib3 and AFAIUI, releases older than 1.26 are not vulnerable.
CVE-2026-44432 has two triggerable paths. Both share the same root cause: a caller obtains a partially-read, Brotli- or gzip-compressed response, then drain_conn() is called (explicitly or via redirect/retry handling), which calls self.read() with no length bound, causing full decompression of the remaining body without any size safeguard.
drain_conn() was introduced in PR #1817 (commit 29b214a1), which shipped in 1.26.0. It is absent in every prior release.
In 1.24.x and 1.25.x the only drain-like mechanism is an internal closure drain_and_release_conn inside urlopen, which is not user-callable and is only invoked during redirect/retry handling — at which point _has_decoded_content is always False (no partial user read can occur before redirect processing returns control), so it drains without decompression.
Additionally, Brotli support (BrotliDecoder, Content-Encoding: br) was itself only added in 1.25.0. In 1.24.x there is no Brotli code path at all: HTTPResponse.CONTENT_DECODERS lists only ['gzip', 'deflate'].