Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
CVE-2026-59939 (GCVE-0-2026-59939)
Vulnerability from cvelistv5 – Published: 2026-07-08 19:34 – Updated: 2026-07-10 14:55
VLAI
EPSS
VEX
Title
httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling
Summary
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/httplib2/httplib2/security/adv… | x_refsource_CONFIRM |
| https://github.com/httplib2/httplib2/commit/87581… | x_refsource_MISC |
| https://github.com/httplib2/httplib2/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59939",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:55:00.644314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:55:12.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "httplib2",
"vendor": "httplib2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:34:05.150Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
},
{
"name": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427"
},
{
"name": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0"
}
],
"source": {
"advisory": "GHSA-j5g9-f88f-gfj3",
"discovery": "UNKNOWN"
},
"title": "httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59939",
"datePublished": "2026-07-08T19:34:05.150Z",
"dateReserved": "2026-07-07T18:20:06.127Z",
"dateUpdated": "2026-07-10T14:55:12.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
PYSEC-2026-3444
Vulnerability from pysec - Published: 2026-07-08 20:16 - Updated: 2026-07-14 09:58
VLAI
Details
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.
Severity
7.5 (High)
Impacted products
| Name | purl | httplib2 | pkg:pypi/httplib2 |
|---|
Aliases
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "httplib2",
"purl": "pkg:pypi/httplib2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.32.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.3",
"0.11.0",
"0.11.1",
"0.11.3",
"0.12.0",
"0.12.1",
"0.12.3",
"0.13.0",
"0.13.1",
"0.14.0",
"0.15.0",
"0.16.0",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.18.0",
"0.18.1",
"0.19.0",
"0.19.1",
"0.20.0",
"0.20.1",
"0.20.2",
"0.20.4",
"0.21.0",
"0.22.0",
"0.30.0",
"0.30.2",
"0.31.0",
"0.31.1",
"0.31.2",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.8",
"0.9",
"0.9.1",
"0.9.2"
]
}
],
"aliases": [
"CVE-2026-59939",
"GHSA-j5g9-f88f-gfj3"
],
"details": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
"id": "PYSEC-2026-3444",
"modified": "2026-07-14T09:58:21.264561Z",
"published": "2026-07-08T20:16:59.557Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0"
},
{
"type": "FIX",
"url": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427"
},
{
"type": "EVIDENCE",
"url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}