What Changed
Box connector dependency urllib3 upgraded from 2.5.0 to 2.6.0 to address critical security vulnerabilities.
Security Impact (Visibility & Fidelity)
The Box connector was vulnerable to two high-severity denial of service attacks via malicious HTTP responses:
- CVE-2025-66471 (8.9 High): Decompression bomb vulnerability where highly compressed HTTP content could cause excessive resource consumption during streaming API operations
- CVE-2025-66418 (8.9 High): Unlimited chained Content-Encoding headers could exhaust system resources during decoding
Affected deployments running Box connector versions with urllib3 2.5.0 or earlier are vulnerable to resource exhaustion attacks that could disrupt data ingestion.
Affected Files
Solutions/Box/Data Connectors/requirements.txt
(packaging artefacts: BoxConn.zip)