Sourced from urllib3's releases.
2.6.3
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by
@​D47A, 8.9 High, GHSA-38jv-5279-wg99)- Started treating
Retry-Aftertimes greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)- Fixed
urllib3.connection.VerifiedHTTPSConnectionon Emscripten. (urllib3/urllib3#3752)2.6.2
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Fixed
HTTPResponse.read_chunked()to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)2.6.1
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
- Restore previously removed
HTTPResponse.getheaders()andHTTPResponse.getheader()methods. (#3731)2.6.0
🚀 urllib3 is fundraising for HTTP/2 support
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Security
- Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by
@​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)- Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the
Content-Encodingheader, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by@​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)[!IMPORTANT]
- If urllib3 is not installed with the optional
urllib3[brotli]extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer usingurllib3[brotli]to install a compatible Brotli package automatically.
... (truncated)
Sourced from urllib3's changelog.
2.6.3 (2026-01-07)
- Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (
GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)- Started treating
Retry-Aftertimes greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)- Fixed
urllib3.connection.VerifiedHTTPSConnectionon Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)2.6.2 (2025-12-11)
- Fixed
HTTPResponse.read_chunked()to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)2.6.1 (2025-12-08)
- Restore previously removed
HTTPResponse.getheaders()andHTTPResponse.getheader()methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)2.6.0 (2025-12-05)
Security
- Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (
GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)- Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the
Content-Encodingheader, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__).. caution::
- If urllib3 is not installed with the optional
urllib3[brotli]extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using
... (truncated)
0248277
Release 2.6.38864ac4
Merge commit from fork70cecb2
Fix Scorecard issues related to vulnerable dev dependencies (#3755)41f249a
Move "v2.0 Migration Guide" to the end of the table of
contents (#3747)fd4dffd
Patch VerifiedHTTPSConnection for Emscripten (#3752)13f0bfd
Handle massive values in Retry-After when calculating time to sleep for
(#3743)8c480bf
Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)4b40616
Bump actions/cache from 4.3.0 to 5.0.1 (#3750)82b8479
Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)34284cb
Mention experimental features in the security policy (#3746)