chore(deps): update dependency urllib3 to v2.6.3 [security] by renovate[bot] · Pull Request #73

chore(deps): update dependency urllib3 to v2.6.3 [security] by renovate[bot] · Pull Request #73 · cemsbv/plxcontroller

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
urllib3 (changelog)	`==2.0.7` → `==2.6.3`

GitHub Vulnerability Alerts

CVE-2024-37891

When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected.

However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.

Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization header during cross-origin redirects to avoid the small chance that users are doing this on accident.

Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the Proxy-Authorization header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.

Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

Setting the Proxy-Authorization header without using urllib3's built-in proxy support.
Not disabling HTTP redirects.
Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.

Remediation

Using the Proxy-Authorization header with urllib3's ProxyManager.
Disabling HTTP redirects using redirects=False when sending requests.
Not using the Proxy-Authorization header.

CVE-2025-50181

urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:

resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)

# 302

However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:

import urllib3

http = urllib3.PoolManager(retries=0)  # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0))  # equivalent to the above
http = urllib3.PoolManager(retries=False)  # should return the first response

resp = http.request("GET", "https://httpbin.org/redirect/1")

However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.

Affected usages

Passing retries on PoolManager instantiation to disable redirects or restrict their number.

By default, requests and botocore users are not affected.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.

Remediation

You can remediate this vulnerability with the following steps:

Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact sethmichaellarson@gmail.com to discuss sponsorship or contribution opportunities.
Disable redirects at the request() level instead of the PoolManager() level.

CVE-2025-66418

Impact

urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).

However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.

Remediation

Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.

If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.

CVE-2025-66471

Impact

urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.

When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.

The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.

Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.

stream(), read(amt=256), read1(amt=256), read_chunked(amt=256), readinto(b) are examples of urllib3.HTTPResponse method calls using the affected logic unless decoding is disabled explicitly.

Remediation

Upgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.

If your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the urllib3[brotli] extra in the patched versions of urllib3.

Credits

The issue was reported by @Cycloctane.
Supplemental information was provided by @stamparm during a security audit performed by 7ASecurity and facilitated by OSTIF.

CVE-2026-21441

Impact

urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.

urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.

However, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).

Affected usages

Applications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting preload_content=False when they do not disable redirects.

Remediation

Upgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when preload_content=False.

If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source.

Release Notes

urllib3/urllib3 (urllib3)

`v2.6.3`

Compare Source

==================

Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
Started treating Retry-After times greater than 6 hours as 6 hours by
default. (#3743 <https://github.com/urllib3/urllib3/issues/3743>__)
Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten.
(#3752 <https://github.com/urllib3/urllib3/issues/3752>__)

`v2.6.2`

Compare Source

==================

Fixed HTTPResponse.read_chunked() to properly handle leftover data in
the decoder's buffer when reading compressed chunked responses.
(#3734 <https://github.com/urllib3/urllib3/issues/3734>__)

`v2.6.1`

Compare Source

==================

Restore previously removed HTTPResponse.getheaders() and
HTTPResponse.getheader() methods.
(#3731 <https://github.com/urllib3/urllib3/issues/3731>__)

`v2.6.0`

Compare Source

==================

Security

Fixed a security issue where streaming API could improperly handle highly
compressed HTTP content ("decompression bombs") leading to excessive resource
consumption even when a small amount of data was requested. Reading small
chunks of compressed data is safer and much more efficient now.
(GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
Fixed a security issue where an attacker could compose an HTTP response with
virtually unlimited links in the Content-Encoding header, potentially
leading to a denial of service (DoS) attack by exhausting system resources
during decoding. The number of allowed chained encodings is now limited to 5.
(GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

If urllib3 is not installed with the optional urllib3[brotli] extra, but
your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
benefit from the security fixes and avoid warnings. Prefer using
urllib3[brotli] to install a compatible Brotli package automatically.
If you use custom decompressors, please make sure to update them to
respect the changed API of urllib3.response.ContentDecoder.

Features

Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653 <https://github.com/urllib3/urllib3/issues/3653>__)
Added host and port information to string representations of HTTPConnection. (#3666 <https://github.com/urllib3/urllib3/issues/3666>__)
Added support for Python 3.14 free-threading builds explicitly. (#3696 <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622 <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

Fixed redirect handling in urllib3.PoolManager when an integer is passed
for the retries parameter. (#3649 <https://github.com/urllib3/urllib3/issues/3649>__)
Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664 <https://github.com/urllib3/urllib3/issues/3664>__)
Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700 <https://github.com/urllib3/urllib3/issues/3700>__)

Misc

Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693 <https://github.com/urllib3/urllib3/issues/3693>__)
Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710 <https://github.com/urllib3/urllib3/issues/3710>__)
Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652 <https://github.com/urllib3/urllib3/issues/3652>__)
Ensured successful urllib3 builds by setting Hatchling requirement to >= 1.27.0. (#3638 <https://github.com/urllib3/urllib3/issues/3638>__)

`v2.5.0`

Compare Source

==================

Features

Added support for the compression.zstd module that is new in Python 3.14.
See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. (#3610 <https://github.com/urllib3/urllib3/issues/3610>__)
Added support for version 0.5 of hatch-vcs (#3612 <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

Fixed a security issue where restricting the maximum number of followed
redirects at the urllib3.PoolManager level via the retries parameter
did not work.
Made the Node.js runtime respect redirect parameters such as retries
and redirects.
Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581 <https://github.com/urllib3/urllib3/issues/3581>__)
Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615 <https://github.com/urllib3/urllib3/issues/3615>__)

`v2.4.0`

Compare Source

==================

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

`v2.3.0`

Compare Source

==================

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

`v2.2.3`

Compare Source

==================

Features

Added support for Python 3.13. (#3473 <https://github.com/urllib3/urllib3/issues/3473>__)

Bugfixes

Fixed the default encoding of chunked request bodies to be UTF-8 instead of ISO-8859-1.
All other methods of supplying a request body already use UTF-8 starting in urllib3 v2.0. (#3053 <https://github.com/urllib3/urllib3/issues/3053>__)
Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting python/cpython#103472. (#3252 <https://github.com/urllib3/urllib3/issues/3252>__)
Adjust tolerance for floating-point comparison on Windows to avoid flakiness in CI (#3413 <https://github.com/urllib3/urllib3/issues/3413>__)
Fixed a crash where certain standard library hash functions were absent in restricted environments. (#3432 <https://github.com/urllib3/urllib3/issues/3432>__)
Fixed mypy error when adding to HTTPConnection.default_socket_options. (#3448 <https://github.com/urllib3/urllib3/issues/3448>__)

HTTP/2 (experimental)

HTTP/2 support is still in early development.

Excluded Transfer-Encoding: chunked from HTTP/2 request body (#3425 <https://github.com/urllib3/urllib3/issues/3425>__)
Added version checking for h2 (https://pypi.org/project/h2/) usage.

Now only accepting supported h2 major version 4.x.x. (#3290 <https://github.com/urllib3/urllib3/issues/3290>__)
Added a probing mechanism for determining whether a given target origin
supports HTTP/2 via ALPN. (#3301 <https://github.com/urllib3/urllib3/issues/3301>__)
Add support for sending a request body with HTTP/2 (#3302 <https://github.com/urllib3/urllib3/issues/3302>__)

Deprecations and Removals

Note for downstream distributors: the _version.py file has been removed and is now created at build time by hatch-vcs. (#3412 <https://github.com/urllib3/urllib3/issues/3412>__)
Drop support for end-of-life PyPy3.8 and PyPy3.9. (#3475 <https://github.com/urllib3/urllib3/issues/3475>__)

`v2.2.2`

Compare Source

==================

Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
Allowed passing negative integers as amt to read methods of http.client.HTTPResponse as an alternative to None. (#3122 <https://github.com/urllib3/urllib3/issues/3122>__)
Fixed return types representing copying actions to use typing.Self. (#3363 <https://github.com/urllib3/urllib3/issues/3363>__)

`v2.2.1`

Compare Source

==================

Fixed issue where InsecureRequestWarning was emitted for HTTPS connections when using Emscripten. (#3331 <https://github.com/urllib3/urllib3/issues/3331>__)
Fixed HTTPConnectionPool.urlopen to stop automatically casting non-proxy headers to HTTPHeaderDict. This change was premature as it did not apply to proxy headers and HTTPHeaderDict does not handle byte header values correctly yet. (#3343 <https://github.com/urllib3/urllib3/issues/3343>__)
Changed InvalidChunkLength to ProtocolError when response terminates before the chunk length is sent. (#2860 <https://github.com/urllib3/urllib3/issues/2860>__)
Changed ProtocolError to be more verbose on incomplete reads with excess content. (#3261 <https://github.com/urllib3/urllib3/issues/3261>__)

`v2.2.0`

Compare Source

==================

Added support for Emscripten and Pyodide <https://urllib3.readthedocs.io/en/latest/reference/contrib/emscripten.html>, including streaming support in cross-origin isolated browser environments where threading is enabled. (#2951 <https://github.com/urllib3/urllib3/issues/2951>)
Added support for HTTPResponse.read1() method. (#3186 <https://github.com/urllib3/urllib3/issues/3186>__)
Added rudimentary support for HTTP/2. (#3284 <https://github.com/urllib3/urllib3/issues/3284>__)
Fixed issue where requests against urls with trailing dots were failing due to SSL errors
when using proxy. (#2244 <https://github.com/urllib3/urllib3/issues/2244>__)
Fixed HTTPConnection.proxy_is_verified and HTTPSConnection.proxy_is_verified
to be always set to a boolean after connecting to a proxy. It could be
None in some cases previously. (#3130 <https://github.com/urllib3/urllib3/issues/3130>__)
Fixed an issue where headers passed in a request with json= would be mutated (#3203 <https://github.com/urllib3/urllib3/issues/3203>__)
Fixed HTTPSConnection.is_verified to be set to False when connecting
from a HTTPS proxy to an HTTP target. It was set to True previously. (#3267 <https://github.com/urllib3/urllib3/issues/3267>__)
Fixed handling of new error message from OpenSSL 3.2.0 when configuring an HTTP proxy as HTTPS (#3268 <https://github.com/urllib3/urllib3/issues/3268>__)
Fixed TLS 1.3 post-handshake auth when the server certificate validation is disabled (#3325 <https://github.com/urllib3/urllib3/issues/3325>__)
Note for downstream distributors: To run integration tests, you now need to run the tests a second
time with the --integration pytest flag. (#3181 <https://github.com/urllib3/urllib3/issues/3181>__)

`v2.1.0`

Compare Source

==================

Removed support for the deprecated urllib3[secure] extra. (#2680 <https://github.com/urllib3/urllib3/issues/2680>__)
Removed support for the deprecated SecureTransport TLS implementation. (#2681 <https://github.com/urllib3/urllib3/issues/2681>__)
Removed support for the end-of-life Python 3.7. (#3143 <https://github.com/urllib3/urllib3/issues/3143>__)
Allowed loading CA certificates from memory for proxies. (#3065 <https://github.com/urllib3/urllib3/issues/3065>__)
Fixed decoding Gzip-encoded responses which specified x-gzip content-encoding. (#3174 <https://github.com/urllib3/urllib3/issues/3174>__)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.