Skip to content

Track pip release with urllib3 2.7.0+ for CVE-2026-9375 mitigation #1204

Description

@ivanovac

Track pip release with urllib3 2.7.0+ for CVE-2026-9375 mitigation

Summary

Python buildpack v1.9.2 is affected by CVE-2026-9375 / BDSA-2026-15853: a HIGH severity (CVSS 7.5) Brotli decompression DoS vulnerability in urllib3.

The buildpack currently includes pip 25.2 and pip 26.0.1, which vendor vulnerable urllib3 versions (1.26.20 and earlier). We need to monitor for a new pip release containing urllib3 2.7.0+ and update the buildpack accordingly.

Vulnerability Details

  • CVE: CVE-2026-9375
  • BDSA: BDSA-2026-15853
  • Severity: HIGH (CVSS 7.5)
  • Component: urllib3 (vendored in pip)
  • Issue: Brotli decompression bomb bypass in streaming API leading to DoS
  • Affected versions: urllib3 < 2.7.0
  • Fixed version: urllib3 2.7.0+

Current Status

  • Python buildpack v1.9.2 pip versions:

    • pip 25.2 → vendors urllib3 1.26.20 ❌ (vulnerable)
    • pip 26.0.1 → vendors urllib3 1.26.20 ❌ (vulnerable)
  • Latest pip release: 26.1.2 (May 31, 2026) → vendors urllib3 2.6.3 ❌ (still vulnerable)

  • pip main branch: Contains urllib3 2.7.0 ✅ (fixed as of June 8, 2026, not yet released)

Action Items

  • Monitor for new pip release (expected ~Aug/Sep 2026 based on 3-month cycle, possibly sooner due to security fix)
  • Once pip release with urllib3 2.7.0+ is available, update python-buildpack dependencies
  • Test buildpack with new pip version
  • Release updated python-buildpack
  • Notify customers via security bulletin

References

Related

  • Related to customer case #863400/2026 (CAP application security audit)

Check frequency: Weekly until pip release is available
Priority: High (security vulnerability)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependency-deprecationNotice of dependency deprecation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions