Python 3.8 LTS backport of urllib3 v2.2.3 with 5 CVE security patches (CVE-2026-21441, CVE-2025-66471, CVE-2025-66418, CVE-2025-50182, CVE-2025-50181)
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
urllib3-lts-py38 🛡️
Security Backport for Python 3.8 Base: urllib3 v2.x | Patch Level: 2026.21441 | Auditor: 1minds3t
🚨 Security Matrix (Cumulative)
This release provides a hardened backport for Python 3.8, mitigating 5 Critical/High/Moderate Vulnerabilities identified between 2025 and 2026.
| CVE ID | Severity | Description | Status |
|---|---|---|---|
| CVE-2026-21441 | 🔴 HIGH | Infinite Sleep DoS: Limits Retry-After to 6 hours max. |
🛡️ FIXED |
| CVE-2025-66471 | 🔴 HIGH | Header/Collection Logic: Hardened internal data structures. | 🛡️ FIXED |
| CVE-2025-66418 | 🔴 HIGH | Decompression DoS: Hard limit of 5 nested Content-Encoding layers, prevents CPU exhaustion via nested compression attacks. | 🛡️ FIXED |
| CVE-2025-50182 | 🟡 MOD | Node.js Redirect Bypass: Enforces manual redirect control in emscripten backend. | 🛡️ FIXED |
| CVE-2025-50181 | 🟡 MOD | Redirect Security Bypass: Fixed PoolManager to correctly disable redirects when retries=False. |
🛡️ FIXED |
🛠️ Patch Architecture
Unlike standard upstream releases, this LTS version is specifically tuned for Python 3.8:
- Targeted Fixes: Only security-critical logic was backported; "modernization" noise (Python 3.14+ compatibility) was stripped to maintain a minimal diff.
- Resource Safety: Implemented mandatory
retry_after_maxand lazy decompression guards to prevent resource hanging.
📦 Installation
pip install urllib3-lts-py38==2026.21441
## 🌐 OmniPKG Security Scanning
This package is maintained as part of the **OmniPKG** ecosystem — a Python
environment manager with built-in CVE scanning powered by
[Safety](https://pypi.org/project/safety/) or pip audit as a fallback.
When you run `omnipkg reset`, it automatically audits all installed packages
against the Safety vulnerability database and flags any known CVEs:
```bash
pip install omnipkg
omnipkg reset -y
# -> Performs security scan across all installed packages
# -> Reports CVEs, audit status, and affected versions
# -> urllib3-lts-py38 will show 0 issues for the patched CVEs above
Maintained by 1minds3t.
## ⚠️ Critical Installation Warning
**You MUST uninstall the standard `urllib3` before installing this package to avoid namespace conflicts:**
```bash
pip uninstall urllib3 -y
pip install urllib3-lts-py38
All patches verified via omnipatcher manual human review on 2026-02-22.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file urllib3_lts_py38-2026.21441.1.tar.gz.
File metadata
- Download URL: urllib3_lts_py38-2026.21441.1.tar.gz
- Upload date:
- Size: 179.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3c692fc812a1f50b9df9dfd37528ad652eba6072b838869d8f7b7e07a8dc9adf
|
|
| MD5 |
d289c72991f568dd80cb17ee60f8f461
|
|
| BLAKE2b-256 |
165517fe73e3e669c9e8895630bad5cc8d90573eec7f3a5d5ecf5c1373836cb9
|
Provenance
The following attestation bundles were made for urllib3_lts_py38-2026.21441.1.tar.gz:
Publisher:
publish.yml on 1minds3t/urllib3-lts
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
urllib3_lts_py38-2026.21441.1.tar.gz -
Subject digest:
3c692fc812a1f50b9df9dfd37528ad652eba6072b838869d8f7b7e07a8dc9adf - Sigstore transparency entry: 978261823
- Sigstore integration time:
-
Permalink:
1minds3t/urllib3-lts@788ba60ba81b0f78d234b3212bdde1a318c63d77 -
Branch / Tag:
refs/tags/CVE-2026-21441.1-py38 - Owner: https://github.com/1minds3t
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@788ba60ba81b0f78d234b3212bdde1a318c63d77 -
Trigger Event:
release
-
Statement type:
File details
Details for the file urllib3_lts_py38-2026.21441.1-py3-none-any.whl.
File metadata
- Download URL: urllib3_lts_py38-2026.21441.1-py3-none-any.whl
- Upload date:
- Size: 125.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8703a968fc3aed5f66c55b22683cf97400161bceaa836acff96e924b1e8086ef
|
|
| MD5 |
25c1e9b69b7d8b70277918f19fd23fdf
|
|
| BLAKE2b-256 |
dd59d492471a841c8c0f21cecf6179ec83e09dec55e0173a3e946236151248a8
|
Provenance
The following attestation bundles were made for urllib3_lts_py38-2026.21441.1-py3-none-any.whl:
Publisher:
publish.yml on 1minds3t/urllib3-lts
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
urllib3_lts_py38-2026.21441.1-py3-none-any.whl -
Subject digest:
8703a968fc3aed5f66c55b22683cf97400161bceaa836acff96e924b1e8086ef - Sigstore transparency entry: 978261891
- Sigstore integration time:
-
Permalink:
1minds3t/urllib3-lts@788ba60ba81b0f78d234b3212bdde1a318c63d77 -
Branch / Tag:
refs/tags/CVE-2026-21441.1-py38 - Owner: https://github.com/1minds3t
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@788ba60ba81b0f78d234b3212bdde1a318c63d77 -
Trigger Event:
release
-
Statement type:
