CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Last updated
Overview
An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.
Real-world CVEs
46 recorded CVEs are caused by CWE-409 (Improper Handling of Highly Compressed Data (Data Amplification)). The highest-severity and most recent are shown first. 21 new CWE-409 CVEs have been recorded so far in 2026 (14 in 2025).
- CVE-2026-44432
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
High · CVSS 8.9 · EPSS 5th2026-05-13 - CVE-2026-21441
urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)
High · CVSS 8.9 · EPSS 3th2026-01-07 - CVE-2025-66471
urllib3 Streaming API improperly handles highly compressed data
High · CVSS 8.9 · EPSS 4th2025-12-05