What Changed
WithSecure Elements Via Function connector dependency urllib3 upgraded from 2.5.0 to 2.6.0 to address critical security vulnerabilities.
Security Impact (Visibility & Fidelity)
The WithSecure Elements connector was vulnerable to two high-severity denial of service attacks via malicious HTTP responses:
- CVE-2025-66471 (8.9 High): Decompression bomb vulnerability where highly compressed HTTP content could cause excessive resource consumption during streaming API operations
- CVE-2025-66418 (8.9 High): Unlimited chained Content-Encoding headers could exhaust system resources during decoding
Affected deployments running WithSecure Elements connector versions with urllib3 2.5.0 or earlier are vulnerable to resource exhaustion attacks that could disrupt endpoint security data ingestion.
Affected Files
Solutions/WithSecureElementsViaFunction/Data Connectors/requirements.txt
(packaging artefacts: WithSecureElementsViaFunctionConn.zip)