VULN UPGRADE: urllib3 (major → 2.6.3) [opentelemetry/python-microservice]

[campaigner-prod]

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• opentelemetry/python-microservice (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
urllib3	1.25.10	2.6.3	major	12 HIGH, 5 MODERATE, 2 MEDIUM

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (12 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
urllib3	GHSA-v845-jxx5-vc9f	HIGH	Cookie HTTP header isn't stripped on cross-origin redirects	1.25.10	2.0.6
urllib3	CVE-2026-21441	HIGH	urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)	1.25.10	-
urllib3	CVE-2021-33503	HIGH	-	1.25.10	-
urllib3	CVE-2023-43804	HIGH	Cookie HTTP header isn't stripped on cross-origin redirects	1.25.10	-
urllib3	PYSEC-2023-192	HIGH	-	1.25.10	644124ecd0b6e417c527191f866daa05a5a2056d
urllib3	GHSA-2xpw-w6gg-jr37	HIGH	urllib3 streaming API improperly handles highly compressed data	1.25.10	2.6.0
urllib3	PYSEC-2021-108	HIGH	-	1.25.10	2d4a3fee6de2fa45eb82169361918f759269b4ec
urllib3	GHSA-q2q7-5pp4-w6pg	HIGH	Catastrophic backtracking in URL authority parser when passed URL containing many @ characters	1.25.10	1.26.5
urllib3	GHSA-38jv-5279-wg99	HIGH	Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)	1.25.10	2.6.3
urllib3	CVE-2025-66471	HIGH	urllib3 Streaming API improperly handles highly compressed data	1.25.10	-
urllib3	CVE-2025-66418	HIGH	urllib3 allows an unbounded number of links in the decompression chain	1.25.10	-
urllib3	GHSA-gm62-xv2j-4w53	HIGH	urllib3 allows an unbounded number of links in the decompression chain	1.25.10	2.6.0

ℹ️ Other Vulnerabilities (7)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
urllib3	PYSEC-2023-212	medium	-	1.25.10	4e98d57809dacab1cbe625fddeec1a290c478ea9
urllib3	CVE-2023-45803	medium	Request body not stripped after redirect in urllib3	1.25.10	-
urllib3	CVE-2025-50181	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	1.25.10	-
urllib3	GHSA-pq67-6m6q-mj2v	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	1.25.10	2.5.0
urllib3	GHSA-g4mx-q9vg-27p4	MODERATE	urllib3's request body not stripped after redirect from 303 status changes request method to GET	1.25.10	2.0.7
urllib3	CVE-2024-37891	MODERATE	Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3	1.25.10	-
urllib3	GHSA-34jh-p97f-mpxf	MODERATE	urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects	1.25.10	1.26.19

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
urllib3	1.25.10	Jul 22, 2025	2.6.3	opentelemetry/python-microservice/requirements.txt

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System