Published
Permalink
CVE-2026-59939
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
2 packages
- python313Packages.google-auth-httplib2
- python314Packages.google-auth-httplib2
- @LeSuisse accepted
- @LeSuisse published on GitHub
httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.
References
-
https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3 x_refsource_CONFIRM
-
https://github.com/httplib2/httplib2/releases/tag/v0.32.0 x_refsource_MISC
Affected products
httplib2
- ==< 0.32.0
Matching in nixpkgs
pkgs.python313Packages.httplib2
Comprehensive HTTP client library
Ignored packages (2)
pkgs.python313Packages.google-auth-httplib2
Google Authentication Library: httplib2 transport
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>