urllib3
diff --git a/‎CHANGES.rst‎
Lines changed: 22 additions & 0 deletions b/‎CHANGES.rst‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎docs/advanced-usage.rst‎
Lines changed: 2 additions & 1 deletion b/‎docs/advanced-usage.rst‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/user-guide.rst‎
Lines changed: 2 additions & 2 deletions b/‎docs/user-guide.rst‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎noxfile.py‎
Lines changed: 12 additions & 4 deletions b/‎noxfile.py‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 3 additions & 2 deletions b/‎pyproject.toml‎
Lines changed: 3 additions & 2 deletions
@@ -1,3 +1,25 @@
+2.6.0 (TBD)
+==================
+
+Bugfixes
+--------
+
+- Fixed a security issue where streaming API could improperly handle highly
+  compressed HTTP content ("decompression bombs") leading to excessive resource
+  consumption even when a small amount of data was requested. Reading small
+  chunks of compressed data is safer and much more efficient now.
+
+.. caution::
+  - If urllib3 is not installed with the optional `urllib3[brotli]` extra, but
+    your environment contains a Brotli/brotlicffi/brotlipy package anyway, make
+    sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to
+    benefit from the security fixes and avoid warnings. Prefer using
+    `urllib3[brotli]` to install a compatible Brotli package automatically.
+
+  - If you use custom decompressors, please make sure to update them to
+    respect the changed API of ``urllib3.response.ContentDecoder``.
+
+
 2.5.0 (2025-06-18)
 ==================
 
 
@@ -66,7 +66,8 @@ When using ``preload_content=True`` (the default setting) the
 response body will be read immediately into memory and the HTTP connection
 will be released back into the pool without manual intervention.
 
-However, when dealing with large responses it's often better to stream the response
+However, when dealing with responses of large or unknown length,
+it's often better to stream the response
 content using ``preload_content=False``. Setting ``preload_content`` to ``False`` means
 that urllib3 will only read from the socket when data is requested.
 
 
@@ -145,8 +145,8 @@ to a byte string representing the response content:
     print(resp.data)
     # b"\xaa\xa5H?\x95\xe9\x9b\x11"
 
-.. note:: For larger responses, it's sometimes better to :ref:`stream <stream>`
-    the response.
+.. note:: For responses of large or unknown length, it's sometimes better to
+    :ref:`stream <stream>` the response.
 
 Using io Wrappers with Response Content
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -15,6 +15,7 @@
 def tests_impl(
     session: nox.Session,
     extras: str | None = None,
+    extra_dependencies: list[str] | None = None,
     # hypercorn dependency h2 compares bytes and strings
     # https://github.com/python-hyper/h2/issues/1236
     byte_string_comparisons: bool = False,
@@ -33,8 +34,9 @@ def tests_impl(
     implementation_name, release_level, _is_gil_enabled = session_python_info.split(" ")
     free_threading = _is_gil_enabled == "False"
 
-    # brotlicffi does not support free-threading
-    extras = "socks,zstd,h2" if free_threading else "socks,brotli,zstd,h2"
+    if extras is None:
+        # brotlicffi does not support free-threading
+        extras = "socks,zstd,h2" if free_threading else "socks,brotli,zstd,h2"
 
     # Install deps and the package itself.
     session.run_install(
@@ -45,6 +47,8 @@ def tests_impl(
         dependency_group,
         *(f"--extra={extra}" for extra in (extras.split(",") if extras else ())),
     )
+    if extra_dependencies:
+        session.install(*extra_dependencies)
     # Show the uv version.
     session.run("uv", "--version")
     # Print the Python version, bytesize and free-threading status.
@@ -130,8 +134,12 @@ def test_brotlipy(session: nox.Session) -> None:
     'brotlicffi' that we still don't blow up.
     """
     session.env["UV_PROJECT_ENVIRONMENT"] = session.virtualenv.location
-    session.install("brotlipy")
-    tests_impl(session, extras="socks", byte_string_comparisons=False)
+    tests_impl(
+        session,
+        extras="socks",
+        extra_dependencies=["brotlipy"],
+        byte_string_comparisons=False,
+    )
 
 
 def git_clone(session: nox.Session, git_url: str) -> None:
 
@@ -43,8 +43,8 @@ dynamic = ["version"]
 
 [project.optional-dependencies]
 brotli = [
-  "brotli>=1.0.9; platform_python_implementation == 'CPython'",
-  "brotlicffi>=0.8.0; platform_python_implementation != 'CPython'"
+  "brotli>=1.2.0; platform_python_implementation == 'CPython'",
+  "brotlicffi>=1.2.0.0; platform_python_implementation != 'CPython'"
 ]
 zstd = [
   "backports.zstd>=1.0.0; python_version<'3.14'",
@@ -158,6 +158,7 @@ filterwarnings = [
     '''default:ssl\.PROTOCOL_TLSv1_1 is deprecated:DeprecationWarning''',
     '''default:ssl\.PROTOCOL_TLSv1_2 is deprecated:DeprecationWarning''',
     '''default:ssl NPN is deprecated, use ALPN instead:DeprecationWarning''',
+    '''default:Brotli >= 1.2.0 is required to prevent decompression bombs\.:urllib3.exceptions.DependencyWarning''',
     # https://github.com/SeleniumHQ/selenium/issues/13328
     '''default:unclosed file <_io\.BufferedWriter name='/dev/null'>:ResourceWarning''',
     # https://github.com/SeleniumHQ/selenium/issues/14686