Improper Handling of Highly Compressed Data (Data Amplification) Affecting httplib2 package, versions [,0.32.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-HTTPLIB2-17900545
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditmauriceng98

Introduced: 8 Jul 2026

NewCVE-2026-59939  (opens in a new tab)
CWE-409  (opens in a new tab)

How to fix?

Upgrade httplib2 to version 0.32.0 or higher.

Overview

httplib2 is a small HTTP client library for Python.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) through the _decompressContent function in httplib2/__init__.py. An attacker can exhaust memory and crash the client by sending an HTTP response with Content-Encoding: gzip or deflate and a small compressed body that expands into a very large payload. The vulnerable request path automatically decompresses the entire response body in memory with unbounded gzip and zlib operations. Applications using httplib2.Http().request() against attacker-controlled or compromised HTTP endpoints are affected by MemoryError, OOM termination, and loss of service.

Notes

  • The affected client path is the automatic response-decompression step in Http().request(); applications that leave response compression enabled and talk to untrusted or intermediary-controlled servers are the ones exposed.
  • The vulnerability is broader than gzip alone: the same path handles deflate-encoded responses as well, so any endpoint that returns Content-Encoding: deflate can trigger the same in-memory expansion failure.

CVSS Base Scores

version 4.0
version 3.1