| Package | python-urllib3 |
|---|---|
| Version | 1.24.1-1+deb10u5 (buster) |
| Related CVEs | CVE-2026-21441 |
It was discovered that python-urllib3, an HTTP library with thread-safe connection pooling for Python, was reading the entire response body to drain the connection and unnecessarily decompressed the content when following HTTP redirects via the streaming API.
This decompression occured in way that bypassed the library’s decompression-bomb safeguards. A malicious server could therefore exploit this behavior to trigger denial of service on the client due to excessive resource consumption (high CPU usage and large memory allocations).
For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u5.
We recommend that you upgrade your python-urllib3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.