Jump to solution
Verify

urllib3 urllib3.response.GzipDecoder is accidentally quadratic, which allows a malicious server to (Fix)

Fixed
Spec
Package
urllib3
Fixed In
1.25
Verdict
Status
Fixed
Safe for prod
Yes
Risk
Low
Last verified
2026-02-09
Own content ratio
0.60
#1467 ai security Idempotency Violation Updated: 2026-02-13
Issue #1467

The Fix

pip install urllib3==1.25

Based on closed urllib3/urllib3 issue #1467 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -4,6 +4,8 @@ Changes ------------ +* Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue #1467) + * ... [Short description of non-trivial change.] (Issue #)
repro.py
In [51]: evil = gzip.compress(b"\x00" * 1032 * 40) * 1350 In [52]: len(evil) Out[52]: 99900 In [53]: %time x = gzip.decompress(evil) CPU times: user 230 ms, sys: 11.9 ms, total: 242 ms Wall time: 240 ms In [54]: %time x = urllib3.response.GzipDecoder().decompress(evil) CPU times: user 5.87 s, sys: 7.73 s, total: 13.6 s Wall time: 13.6 s
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25\nWhen NOT to use: This fix should not be applied if backward compatibility with existing byte handling is required.\n\n

Why This Fix Works in Production

  • Trigger: Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.
  • Mechanism: The GzipDecoder accumulates bytes using repeated calls to += on a bytes object, causing quadratic behavior
  • Why the fix works: Fixes the quadratic behavior in GzipDecoder by using bytearray to accumulate bytes, improving performance significantly. (first fixed release: 1.25).
Production impact:
  • If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).

Why This Breaks in Prod

  • The GzipDecoder accumulates bytes using repeated calls to += on a bytes object, causing quadratic behavior
  • Production symptom (often without a traceback): Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.

Proof / Evidence

  • GitHub issue: #1467
  • Fix PR: https://github.com/urllib3/urllib3/pull/1468
  • First fixed release: 1.25
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.95
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.60

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“Cool, do you wanna send a PR to fix this or just let me or @SethMichaelLarson pick it up?”
@theacodes · 2018-11-01 · source
“If you could pick it up that would be great”
@njsmith · 2018-11-01 · source
“I've created a PR to resolve the issue, take a look when you've got time.”
@sethmlarson · 2018-11-01 · source

Failure Signature (Search String)

  • Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.
Copy-friendly signature
signature.txt
Failure Signature ----------------- Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.

Minimal Reproduction

repro.py
In [51]: evil = gzip.compress(b"\x00" * 1032 * 40) * 1350 In [52]: len(evil) Out[52]: 99900 In [53]: %time x = gzip.decompress(evil) CPU times: user 230 ms, sys: 11.9 ms, total: 242 ms Wall time: 240 ms In [54]: %time x = urllib3.response.GzipDecoder().decompress(evil) CPU times: user 5.87 s, sys: 7.73 s, total: 13.6 s Wall time: 13.6 s

What Broke

Malicious servers can exploit this to cause excessive CPU usage in urllib3 clients.

Why It Broke

The GzipDecoder accumulates bytes using repeated calls to += on a bytes object, causing quadratic behavior

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install urllib3==1.25

When NOT to use: This fix should not be applied if backward compatibility with existing byte handling is required.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/urllib3/urllib3/pull/1468

First fixed release: 1.25

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix should not be applied if backward compatibility with existing byte handling is required.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
  • Upgrade behind a canary and run integration tests against the canary before 100% rollout.

Version Compatibility Table

VersionStatus
1.25 Fixed

Related Issues

No related fixes found.

Cluster: urllib3:data-consistency urllib3 hub urllib3 best practices All hubs All clusters
Related clusters: Configuration error SSL handshake Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #1467. Not affiliated with the library maintainers. Verify before production use.