Track pip release with urllib3 2.7.0+ for CVE-2026-9375 mitigation
Summary
Python buildpack v1.9.2 is affected by CVE-2026-9375 / BDSA-2026-15853: a HIGH severity (CVSS 7.5) Brotli decompression DoS vulnerability in urllib3.
The buildpack currently includes pip 25.2 and pip 26.0.1, which vendor vulnerable urllib3 versions (1.26.20 and earlier). We need to monitor for a new pip release containing urllib3 2.7.0+ and update the buildpack accordingly.
Vulnerability Details
- CVE: CVE-2026-9375
- BDSA: BDSA-2026-15853
- Severity: HIGH (CVSS 7.5)
- Component: urllib3 (vendored in pip)
- Issue: Brotli decompression bomb bypass in streaming API leading to DoS
- Affected versions: urllib3 < 2.7.0
- Fixed version: urllib3 2.7.0+
Current Status
-
Python buildpack v1.9.2 pip versions:
- pip 25.2 → vendors urllib3 1.26.20 ❌ (vulnerable)
- pip 26.0.1 → vendors urllib3 1.26.20 ❌ (vulnerable)
-
Latest pip release: 26.1.2 (May 31, 2026) → vendors urllib3 2.6.3 ❌ (still vulnerable)
-
pip main branch: Contains urllib3 2.7.0 ✅ (fixed as of June 8, 2026, not yet released)
Action Items
References
Related
- Related to customer case #863400/2026 (CAP application security audit)
Check frequency: Weekly until pip release is available
Priority: High (security vulnerability)
Track pip release with urllib3 2.7.0+ for CVE-2026-9375 mitigation
Summary
Python buildpack v1.9.2 is affected by CVE-2026-9375 / BDSA-2026-15853: a HIGH severity (CVSS 7.5) Brotli decompression DoS vulnerability in urllib3.
The buildpack currently includes pip 25.2 and pip 26.0.1, which vendor vulnerable urllib3 versions (1.26.20 and earlier). We need to monitor for a new pip release containing urllib3 2.7.0+ and update the buildpack accordingly.
Vulnerability Details
Current Status
Python buildpack v1.9.2 pip versions:
Latest pip release: 26.1.2 (May 31, 2026) → vendors urllib3 2.6.3 ❌ (still vulnerable)
pip main branch: Contains urllib3 2.7.0 ✅ (fixed as of June 8, 2026, not yet released)
Action Items
References
Related
Check frequency: Weekly until pip release is available
Priority: High (security vulnerability)