Released urllib3 2.7.0
Published on May 7, 2026 by Illia Volochii
 📦 urllib3 2.7.0 is now available!
It addresses high-severity security issues related to:
It addresses high-severity security issues related to:
- decompression bombs (GHSA-mf9v-mfxr-j63j)
- sensitive headers transmitted through proxies (GHSA-qccp-gfcp-xxvc)
Impact is limited to specific use cases detailed in the advisories; we estimate overall user exposure to be marginal.
Additionally, the new version makes deprecation warnings more visible, fixes a few bugs and improves type hints.
Check details in our release notes https://github.com/urllib3/urllib3/releases/tag/2.7.0
Note that we're still raising funds for full HTTP/2 support!Â
Additionally, the new version makes deprecation warnings more visible, fixes a few bugs and improves type hints.
Check details in our release notes https://github.com/urllib3/urllib3/releases/tag/2.7.0
Note that we're still raising funds for full HTTP/2 support!Â