Trend Micro Vision One — urllib3 Security Update Fixes Critical DoS Vulnerabilities

What Changed

Updated urllib3 dependency from version 1.26.20 to 2.6.0 in Trend Micro Vision One Azure Function data connector, addressing critical security vulnerabilities.

Security Impact (Visibility & Fidelity)

CVE Fixes Applied:

CVE-2025-66471 (8.9 High): Fixed decompression bomb vulnerability where compressed HTTP content could cause excessive resource consumption during streaming operations
CVE-2025-66418 (8.9 High): Fixed DoS attack vector via unlimited Content-Encoding header chains, now limited to 5 chained encodings maximum

Connector Stability:

Function App ingestion remains stable with improved security posture
No impact on data collection or parsing logic
Enhanced protection against malicious HTTP responses targeting the connector infrastructure

Affected Files

Solutions/Trend Micro Vision One/Data Connectors/AzureFunctionTrendMicroXDR/requirements.txt

What Changed#

Security Impact (Visibility & Fidelity)#

Affected Files#

What Changed

Security Impact (Visibility & Fidelity)

Affected Files