Security: urllib3 upper bound constraint blocks CVE-2025-66418 fix

[don4of4]

Summary

The current urllib3 >= 1.25.3, < 2.2.3 constraint in setup.py prevents users from upgrading to urllib3 2.6.0+, which contains a critical security fix for CVE-2025-66418.

The Vulnerability

CVE-2025-66418 - Decompression Chain DoS

urllib3 versions prior to 2.6.0 allow an unbounded number of links in the decompression chain, enabling a malicious server to cause high CPU usage and massive memory allocation.

• Advisory: GHSA-gm62-xv2j-4w53
• Fixed in: urllib3 2.6.0

Current Constraint

# setup.py line 26                                                                                                                                                                                                                
"urllib3 >= 1.25.3, < 2.2.3"  

This blocks installation of urllib3 2.6.0+ which contains the security fix.

Requested Change

Remove the upper bound constraint:

"urllib3 >= 1.25.3"

Or if there's a specific compatibility concern with urllib3 2.x, please update to allow at least 2.6.3:

"urllib3 >= 1.25.3, < 3.0.0"

Impact

Users of dataforseo-client are currently forced to run with a known security vulnerability. Dependency scanners (Snyk, Dependabot, etc.) flag this as a security issue that cannot be remediated without upstream changes.

Environment

• dataforseo-client version: 2.0.17 (latest)
• Python: 3.11+

Thank you for your attention to this security matter.

[don4of4]

@dfs-lvics Do you mind taking a look at this?

[lVics]

@don4of4 Hi, thanks for notifying us about this critical security fix.
We've updated the library to version 2.0.18 and removed the upper bound constraint. Please check it out