Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: python314Packages.httplib2

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-59939
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 3 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    2 packages
    • python313Packages.google-auth-httplib2
    • python314Packages.google-auth-httplib2
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling

httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

Affected products

httplib2
  • ==< 0.32.0

Matching in nixpkgs

Ignored packages (2)

Package maintainers