Back to overview

CVE-2026-59939

HIGH
7.5
CVSS 3.1
Description
httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.

Metadata

CVE ID
CVE-2026-59939
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 18:20 UTC
Published
2026-07-08 19:34 UTC
Last updated
2026-07-08 19:34 UTC
Primary CWE
CWE-409
CWE-409: Improper Handling of Highly Compressed Data (Data A…
Vendor / Product
httplib2 / httplib2
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
httplib2 httplib2 < 0.32.0
Weakness (CWE)
CWESourceDescription
CWE-409 cna CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References (3)
Back to overview