CVE-2026-21441: Urllib3 Drain Conn Decompression Bomb
When draining an HTTPResponse connection, calling `read()` without explicitly disabling `decode_content` can cause unnecessary decompression of the response body. This leaves the client vulnerable to decompression bomb DoS attacks when processing untrusted HTTP redirects. Explicitly pass `decode_content=False` or the current decoder state to prevent unbounde
greprules fetch cve-2026-21441-urllib3-drain-conn-decompression-bomb --engine opengrepDescription
When draining an HTTPResponse connection, calling `read()` without explicitly disabling `decode_content` can cause unnecessary decompression of the response body. This leaves the client vulnerable to decompression bomb DoS attacks when processing untrusted HTTP redirects. Explicitly pass `decode_content=False` or the current decoder state to prevent unbounde
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.