CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-44432 |
HIGH |
urllib3 |
2.6.3 |
2.7.0 |
2026-05-13T16:16:57.303Z |
2026-05-14T10:18:23.557102502Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/python:latest |
public.ecr.aws/lambda/python@sha256:ba32ff42fc0c694aa03f7136c4fefb94e34eadefb1934305f111614064e2202c |
public.ecr.aws/lambda/python:3.14 |
public.ecr.aws/lambda/python@sha256:0f9f9c17bc7e46797bd1f31df22eeaaf8426649103f18f8b349133c69a737ef8 |
public.ecr.aws/lambda/python:3.13 |
public.ecr.aws/lambda/python@sha256:ba32ff42fc0c694aa03f7136c4fefb94e34eadefb1934305f111614064e2202c |
public.ecr.aws/lambda/python:3.12 |
public.ecr.aws/lambda/python@sha256:6f0f363ec1ec9cda61e8d96fa8ae8ad108680e5bda086d3ce18b2714d3434bef |
public.ecr.aws/lambda/python:3.11 |
public.ecr.aws/lambda/python@sha256:1f83243c1733b48d92529a69c67f58417682847c3368987d4c5745a3deb24f43 |
public.ecr.aws/lambda/python:3.10 |
public.ecr.aws/lambda/python@sha256:a865d1f06511c9bd395205c76d3863b8693fd1b6f37a1f74b4af719deee6c5c8 |
Description
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Remediation Steps
- Update the affected package
urllib3 from version 2.6.3 to 2.7.0.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
HIGHurllib32.6.32.7.02026-05-13T16:16:57.303Z2026-05-14T10:18:23.557102502ZAffected Docker Images
public.ecr.aws/lambda/python:latestpublic.ecr.aws/lambda/python@sha256:ba32ff42fc0c694aa03f7136c4fefb94e34eadefb1934305f111614064e2202cpublic.ecr.aws/lambda/python:3.14public.ecr.aws/lambda/python@sha256:0f9f9c17bc7e46797bd1f31df22eeaaf8426649103f18f8b349133c69a737ef8public.ecr.aws/lambda/python:3.13public.ecr.aws/lambda/python@sha256:ba32ff42fc0c694aa03f7136c4fefb94e34eadefb1934305f111614064e2202cpublic.ecr.aws/lambda/python:3.12public.ecr.aws/lambda/python@sha256:6f0f363ec1ec9cda61e8d96fa8ae8ad108680e5bda086d3ce18b2714d3434befpublic.ecr.aws/lambda/python:3.11public.ecr.aws/lambda/python@sha256:1f83243c1733b48d92529a69c67f58417682847c3368987d4c5745a3deb24f43public.ecr.aws/lambda/python:3.10public.ecr.aws/lambda/python@sha256:a865d1f06511c9bd395205c76d3863b8693fd1b6f37a1f74b4af719deee6c5c8Description
Remediation Steps
urllib3from version2.6.3to2.7.0.About this issue