Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    CVE-2026-59939 (GCVE-0-2026-59939)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:34 – Updated: 2026-07-10 14:55
    VLAI
    Title
    httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling
    Summary
    httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    Impacted products
    Vendor Product Version
    httplib2 httplib2 Affected: < 0.32.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59939",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:55:00.644314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:55:12.554Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "httplib2",
              "vendor": "httplib2",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.32.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:34:05.150Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
            },
            {
              "name": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427"
            },
            {
              "name": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0"
            }
          ],
          "source": {
            "advisory": "GHSA-j5g9-f88f-gfj3",
            "discovery": "UNKNOWN"
          },
          "title": "httplib2: Decompression Bomb Denial of Service via Unbounded gzip/deflate Response Handling"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59939",
        "datePublished": "2026-07-08T19:34:05.150Z",
        "dateReserved": "2026-07-07T18:20:06.127Z",
        "dateUpdated": "2026-07-10T14:55:12.554Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    PYSEC-2026-3444

    Vulnerability from pysec - Published: 2026-07-08 20:16 - Updated: 2026-07-14 09:58
    VLAI
    Details

    httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

    Impacted products
    Name purl
    httplib2 pkg:pypi/httplib2

    {
      "affected": [
        {
          "ecosystem_specific": {},
          "package": {
            "ecosystem": "PyPI",
            "name": "httplib2",
            "purl": "pkg:pypi/httplib2"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "0.32.0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.10.3",
            "0.11.0",
            "0.11.1",
            "0.11.3",
            "0.12.0",
            "0.12.1",
            "0.12.3",
            "0.13.0",
            "0.13.1",
            "0.14.0",
            "0.15.0",
            "0.16.0",
            "0.17.0",
            "0.17.1",
            "0.17.2",
            "0.17.3",
            "0.17.4",
            "0.18.0",
            "0.18.1",
            "0.19.0",
            "0.19.1",
            "0.20.0",
            "0.20.1",
            "0.20.2",
            "0.20.4",
            "0.21.0",
            "0.22.0",
            "0.30.0",
            "0.30.2",
            "0.31.0",
            "0.31.1",
            "0.31.2",
            "0.7.0",
            "0.7.1",
            "0.7.2",
            "0.7.3",
            "0.7.4",
            "0.7.5",
            "0.7.6",
            "0.7.7",
            "0.8",
            "0.9",
            "0.9.1",
            "0.9.2"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-59939",
        "GHSA-j5g9-f88f-gfj3"
      ],
      "details": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
      "id": "PYSEC-2026-3444",
      "modified": "2026-07-14T09:58:21.264561Z",
      "published": "2026-07-08T20:16:59.557Z",
      "references": [
        {
          "type": "ADVISORY",
          "url": "https://github.com/httplib2/httplib2/releases/tag/v0.32.0"
        },
        {
          "type": "FIX",
          "url": "https://github.com/httplib2/httplib2/commit/87581ad6cf752fe3da2090c59058261d2d00a427"
        },
        {
          "type": "EVIDENCE",
          "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-j5g9-f88f-gfj3"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }