Describe the bug
urllib3 2.7.0 was released on May 7 and fixes two vulnerabilities:
- CVE-2026-44431 (CVSS 8.2, High) — sensitive headers (Authorization, Cookie, Proxy-Authorization) not stripped on cross-origin redirects when using the low-level ProxyManager API path
- CVE-2026-44432 (CVSS 8.9, High) — decompression bomb via Brotli streaming API (CWE-409)
pyproject.toml currently caps urllib3 at <=2.6.3, which prevents the fix from being resolved:
"urllib3>=1.25.4,<=2.6.3",
Upstream botocore already merged the 2.7.0 bump in boto/botocore#3702 (May 12). The same port-and-lift pattern used in #9971 for 2.6.3 should apply here.
Regression Issue
Expected Behavior
Patched dependencies are available to use.
Current Behavior
Unpatched dependencies are forced.
Reproduction Steps
Build file config.
Possible Solution
Upstream botocore already merged the 2.7.0 bump in boto/botocore#3702 (May 12). The same port-and-lift pattern used in #9971 for 2.6.3 should apply here.
Additional Information/Context
No response
CLI version used
2.30 +
Environment details (OS name and version, etc.)
linux/6.17.0-20-generic
Describe the bug
urllib3 2.7.0 was released on May 7 and fixes two vulnerabilities:
pyproject.toml currently caps urllib3 at <=2.6.3, which prevents the fix from being resolved:
"urllib3>=1.25.4,<=2.6.3",
Upstream botocore already merged the 2.7.0 bump in boto/botocore#3702 (May 12). The same port-and-lift pattern used in #9971 for 2.6.3 should apply here.
Regression Issue
Expected Behavior
Patched dependencies are available to use.
Current Behavior
Unpatched dependencies are forced.
Reproduction Steps
Build file config.
Possible Solution
Upstream botocore already merged the 2.7.0 bump in boto/botocore#3702 (May 12). The same port-and-lift pattern used in #9971 for 2.6.3 should apply here.
Additional Information/Context
No response
CLI version used
2.30 +
Environment details (OS name and version, etc.)
linux/6.17.0-20-generic