[Snyk: High] Allocation of Resources Without Limits or Throttling (Due: 01/10/2026)

[tmpayton]

Detailed paths and remediation

Introduced through: root@* › elasticsearch@7.10.1 › urllib3@1.26.20
Fix: Pin urllib3 to version 2.6.0
Introduced through: root@* › requests@2.32.4 › urllib3@1.26.20
Fix: Pin urllib3 to version 2.6.0
Introduced through: root@* › elasticsearch-dsl@7.4.1 › elasticsearch@7.10.1 › urllib3@1.26.20
Fix: Pin urllib3 to version 2.6.0

…and 2 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS v4.0 8.9](https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-14192443) - High Severity | [CVSS v3.1 6.8](https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-14192443) - Medium Severity
NVD: [CVSS v3.1 7.5](https://nvd.nist.gov/vuln/detail/CVE-2025-66418) - High Severity

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the decompression of compressed response data. An attacker can cause excessive CPU and memory consumption by sending responses with a large number of chained compression steps.