LTS Security release for urllib3 (CVE-2026-21441 Patch) - Meta-package
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
urllib3-lts 🛡️
The Long-Term Support Security Release for urllib3.
This ecosystem backports critical security fixes to legacy Python environments (3.7 & 3.8) that official maintainers have dropped.
🏆 Patch Status (v2025.66471)
This release secures 941M+ downloads against the following vulnerabilities:
🏆 Patch Status (v2026.21441)
This release secures 929M+ downloads against the following vulnerabilities:
| Vulnerability | Severity | Impact | Py3.7 | Py3.8 |
|---|---|---|---|---|
| CVE-2026-21441 | 🔴 HIGH | Infinite Sleep DoS + Decompression Bomb | 🛡️ Fixed | 🛡️ Fixed |
| CVE-2025-66471 | 🔴 HIGH | Compression Bomb DoS + Bytes Key Crash | 🛡️ Fixed | 🛡️ Fixed |
| CVE-2025-66418 | 🔴 HIGH | Nested Decompression DoS | 🛡️ Fixed | 🛡️ Fixed |
| CVE-2025-50182 | 🟡 MOD | Node.js Redirect Bypass | N/A | 🛡️ Fixed |
| CVE-2025-50181 | 🟡 MOD | Redirect Retry Bypass | 🛡️ Fixed | 🛡️ Fixed |
| CVE-2024-37891 | 🟡 MOD | Proxy-Auth Header Leak | 🛡️ Fixed | N/A |
📦 Usage
Standard Installation:
pip install urllib3-lts
This meta-package automatically detects your Python version and installs the correct secured backport.
🌐 OmniPKG Security Scanning
This package is maintained as part of the OmniPKG ecosystem — a Python
environment manager with built-in CVE scanning. Scanning is performed via
pip audit by default, with Safety as
an optional upgrade.
pip install omnipkg
omnipkg reset -y
# -> Scans all installed packages for CVEs
# -> urllib3-lts will show 0 issues for all patched CVEs above
Maintained by 1minds3t.
🚧 Coming Soon: omnipkg-runtime
We are building a runtime enforcer that allows configurable WARN or BLOCK policies for unpatched vulnerabilities. Stay tuned.
⚠️ Important: Installation for Python 3.7-3.8
Before installing urllib3-lts, uninstall any existing urllib3:
pip uninstall urllib3 -y
pip install urllib3-lts
This ensures you get the security patches. If you install urllib3-lts without removing urllib3 first, other packages may reinstall the vulnerable version.
Alternative: Pin in requirements.txt
urllib3-lts-py37==2026.21441.1 ; python_version<'3.8'
urllib3-lts-py38==2026.21441 ; python_version>='3.8' and python_version<'3.9'
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file urllib3_lts-2026.21441.1.tar.gz.
File metadata
- Download URL: urllib3_lts-2026.21441.1.tar.gz
- Upload date:
- Size: 4.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1fc3d1d8811a334cbeb5eb95218ec789e9b574576840ec73f4c195e0a7793354
|
|
| MD5 |
161261d603ada44dafd943c797c40b58
|
|
| BLAKE2b-256 |
c36e5a52ab167965c48a744e2f656eb65b828a0a4781b37802ce6e01451ea2bf
|
Provenance
The following attestation bundles were made for urllib3_lts-2026.21441.1.tar.gz:
Publisher:
publish.yml on 1minds3t/urllib3-lts
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
urllib3_lts-2026.21441.1.tar.gz -
Subject digest:
1fc3d1d8811a334cbeb5eb95218ec789e9b574576840ec73f4c195e0a7793354 - Sigstore transparency entry: 978700424
- Sigstore integration time:
-
Permalink:
1minds3t/urllib3-lts@b6c1e07fb019b74d87f9450da01f76639d92174f -
Branch / Tag:
refs/tags/CVE-2026-21441.1 - Owner: https://github.com/1minds3t
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b6c1e07fb019b74d87f9450da01f76639d92174f -
Trigger Event:
release
-
Statement type:
File details
Details for the file urllib3_lts-2026.21441.1-py3-none-any.whl.
File metadata
- Download URL: urllib3_lts-2026.21441.1-py3-none-any.whl
- Upload date:
- Size: 3.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3cdfc420f77ab7823c982a8887b2e3b68c3e141a1fc04001d2bf67597e6d91a5
|
|
| MD5 |
143d48fc1ab2b6804975bef58c56c76c
|
|
| BLAKE2b-256 |
95b42b61102fafd7827fc2dea99272fab2fe254d094c82f1941e4e00db3ed536
|
Provenance
The following attestation bundles were made for urllib3_lts-2026.21441.1-py3-none-any.whl:
Publisher:
publish.yml on 1minds3t/urllib3-lts
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
urllib3_lts-2026.21441.1-py3-none-any.whl -
Subject digest:
3cdfc420f77ab7823c982a8887b2e3b68c3e141a1fc04001d2bf67597e6d91a5 - Sigstore transparency entry: 978700480
- Sigstore integration time:
-
Permalink:
1minds3t/urllib3-lts@b6c1e07fb019b74d87f9450da01f76639d92174f -
Branch / Tag:
refs/tags/CVE-2026-21441.1 - Owner: https://github.com/1minds3t
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@b6c1e07fb019b74d87f9450da01f76639d92174f -
Trigger Event:
release
-
Statement type:
