Jump to solution
Verify

urllib3 IndexError when handle malformed http response (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.41
#1286 ai auth connection-leak dns llm timeouts Idempotency Violation Updated: 2026-02-13
Issue #1286

The Fix

pip install urllib3==1.25

Based on closed urllib3/urllib3 issue #1286 · PR/commit linked

Production note: Watch p95/p99 latency and retry volume; timeouts can turn into retry storms and duplicate side-effects.

Jump to Verify Open PR/Commit
@@ -4,6 +4,7 @@ import pytest +from urllib3.exceptions import InvalidHeader from urllib3.packages import six xrange = six.moves.xrange
repro.py
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 89606 Content-Disposition: attachment; filename="MB-500Ap_2009-01-12.cfg" Connection: close Brickcom-50xA OperationSetting.locale=auto HostName.name=cam ModuleInfo.DIDO_module=1 ModuleInfo.PIR_module=0 ModuleInfo.WLED=0 SensorFPSSetting.fps=0 ModuleInfo.AUTOIRIS_module=0 ModuleInfo.IRCUT_module=0 ModuleInfo.IRLED_module=0 ModuleInfo.lightsensor=0 ModuleInfo.EXPOSURE_module=0 ModuleInfo.MDNS_module=0 ModuleInfo.PTZ_module=1 ModuleInfo.MSN_module=0 ModuleInfo.WIFI_module=0 ModuleInfo.watchDog_module=0 ModuleInfo.sdcard_module=1 ModuleInfo.usbstorage_module=0 ModuleInfo.sambamount_module=0 ModuleInfo.QoS=0 ModuleInfo.shutter_speed=0 ModuleInfo.discovery_internet=1 ModuleInfo.POE_module= ModuleInfo.audio_record=1
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be applied if the server is expected to send valid headers.\n\n

Why This Fix Works in Production

  • Trigger: req = http_get(url, auth=("admin", "admin"), timeout=timeout, verify=False)
  • Mechanism: Invalid headers with leading whitespace caused an IndexError due to assumptions in header parsing
  • Why the fix works: This change ensures that we fail with a descriptive exception in cases where invalid headers beginning with optional whitespace are passed without a prior header to which they can be attached. (first fixed release: 1.25).
Production impact:
  • If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

  • Invalid headers with leading whitespace caused an IndexError due to assumptions in header parsing
  • Surfaces as: req = http_get(url, auth=("admin", "admin"), timeout=timeout, verify=False)

Proof / Evidence

  • GitHub issue: #1286
  • Fix PR: https://github.com/urllib3/urllib3/pull/1318
  • First fixed release: 1.25
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.41

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“I'll see if I can replicate soon and figure out the right strategy. In the original, are those header fields spaced out with \t, or…”
@haikuginger · 2017-11-29 · source
“@haikuginger we're not correctly dropping them necessarily. We're expecting valid headers. The server is wrong and I think we should raise an InvalidHeader exception of…”
@sigmavirus24 · 2017-11-29 · source
“In this instance I think the error is coming from httplib, so we may not be able to raise that error easily.”
@Lukasa · 2017-11-30 · source
“@haikuginger yeah, 2 is what we're missing and definitely seems reasonable. 👍”
@sigmavirus24 · 2017-12-26 · source

Failure Signature (Search String)

  • req = http_get(url, auth=("admin", "admin"), timeout=timeout, verify=False)

Error Message

Stack trace
error.txt
Error Message ------------- req = http_get(url, auth=("admin", "admin"), timeout=timeout, verify=False) File "C:\Python27\lib\site-packages\requests\api.py", line 72, in get return request('get', url, params=params, **kwargs) File "C:\Python27\lib\site-packages\requests\api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "C:\Python27\lib\site-packages\requests\sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "C:\Python27\lib\site-packages\requests\sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "C:\Python27\lib\site-packages\requests\adapters.py", line 440, in send timeout=timeout File "C:\Python27\lib\site-packages\urllib3\connectionpool.py", line 617, in urlopen **response_kw) File "C:\Python27\lib\site-packages\urllib3\response.py", line 456, in from_httplib headers = HTTPHeaderDict.from_httplib(headers) File "C:\Python27\lib\site-packages\urllib3\_collections.py", line 312, in from_httplib key, value = headers[-1] IndexError: list index out of range

Minimal Reproduction

repro.py
HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 89606 Content-Disposition: attachment; filename="MB-500Ap_2009-01-12.cfg" Connection: close Brickcom-50xA OperationSetting.locale=auto HostName.name=cam ModuleInfo.DIDO_module=1 ModuleInfo.PIR_module=0 ModuleInfo.WLED=0 SensorFPSSetting.fps=0 ModuleInfo.AUTOIRIS_module=0 ModuleInfo.IRCUT_module=0 ModuleInfo.IRLED_module=0 ModuleInfo.lightsensor=0 ModuleInfo.EXPOSURE_module=0 ModuleInfo.MDNS_module=0 ModuleInfo.PTZ_module=1 ModuleInfo.MSN_module=0 ModuleInfo.WIFI_module=0 ModuleInfo.watchDog_module=0 ModuleInfo.sdcard_module=1 ModuleInfo.usbstorage_module=0 ModuleInfo.sambamount_module=0 ModuleInfo.QoS=0 ModuleInfo.shutter_speed=0 ModuleInfo.discovery_internet=1 ModuleInfo.POE_module= ModuleInfo.audio_record=1

What Broke

The application crashes with an IndexError when processing malformed HTTP responses.

Why It Broke

Invalid headers with leading whitespace caused an IndexError due to assumptions in header parsing

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25

When NOT to use: This fix should not be applied if the server is expected to send valid headers.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1318

First fixed release: 1.25

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if the server is expected to send valid headers.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.
  • Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
  • Add a long-running test that repeats the failing call path and asserts stable memory.

Version Compatibility Table

VersionStatus
1.25 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:data-consistency urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Configuration error SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1286. Not affiliated with the library maintainers. Verify before production use.