VULN UPGRADE: major upgrades — 6 packages (major: 3 · unstable: 1 · minor: 2) [log-downloader]

[campaigner-prod]

Summary: High-severity security update — 6 packages upgraded (MAJOR changes included)

Manifests changed:

• log-downloader (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
urllib3	1.25.3	2.6.3	major	15 HIGH, 10 MODERATE
certifi	2019.6.16	2026.2.25	major	3 HIGH, 1 MODERATE, 2 MEDIUM
requests	2.22.0	2.32.5	minor	7 MODERATE
idna	2.8	2.9	minor	3 MODERATE
chardet	3.0.4	5.2.0	major	-
datadog	0.29.3	0.52.1	unstable	-

Packages marked with "-" are updated due to dependency constraints.

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (18 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
certifi	GHSA-xqr8-7jwr-rhp7	HIGH	Removal of e-Tugra root certificate	2019.6.16	2023.7.22
certifi	PYSEC-2023-135	high	-	2019.6.16	2023.7.22
certifi	CVE-2023-37920	high	Certifi's removal of e-Tugra root certificate	2019.6.16	-
urllib3	CVE-2026-21441	HIGH	urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)	1.25.3	-
urllib3	GHSA-38jv-5279-wg99	HIGH	Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)	1.25.3	2.6.3
urllib3	CVE-2023-43804	HIGH	Cookie HTTP header isn't stripped on cross-origin redirects	1.25.3	-
urllib3	PYSEC-2023-192	HIGH	-	1.25.3	644124ecd0b6e417c527191f866daa05a5a2056d
urllib3	GHSA-hmv2-79q8-fv6g	HIGH	Uncontrolled Resource Consumption in urllib3	1.25.3	1.25.8
urllib3	CVE-2020-7212	HIGH	-	1.25.3	-
urllib3	PYSEC-2020-149	HIGH	-	1.25.3	a74c9cfbaed9f811e7563cfc3dce894928e0221a
urllib3	GHSA-gm62-xv2j-4w53	HIGH	urllib3 allows an unbounded number of links in the decompression chain	1.25.3	2.6.0
urllib3	CVE-2025-66418	HIGH	urllib3 allows an unbounded number of links in the decompression chain	1.25.3	-
urllib3	GHSA-2xpw-w6gg-jr37	HIGH	urllib3 streaming API improperly handles highly compressed data	1.25.3	2.6.0
urllib3	CVE-2025-66471	HIGH	urllib3 Streaming API improperly handles highly compressed data	1.25.3	-
urllib3	PYSEC-2021-108	high	-	1.25.3	2d4a3fee6de2fa45eb82169361918f759269b4ec
urllib3	CVE-2021-33503	high	-	1.25.3	-
urllib3	GHSA-q2q7-5pp4-w6pg	HIGH	Catastrophic backtracking in URL authority parser when passed URL containing many @ characters	1.25.3	1.26.5
urllib3	GHSA-v845-jxx5-vc9f	HIGH	Cookie HTTP header isn't stripped on cross-origin redirects	1.25.3	2.0.6

ℹ️ Other Vulnerabilities (23)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
certifi	PYSEC-2022-42986	medium	-	2019.6.16	2022.12.7
certifi	CVE-2022-23491	medium	Removal of TrustCor root certificate	2019.6.16	-
certifi	GHSA-43fp-rhv2-5gv8	MODERATE	Certifi removing TrustCor root certificate	2019.6.16	2022.12.07
idna	GHSA-jjg7-2v4v-x38h	MODERATE	Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode	2.8	3.7
idna	PYSEC-2024-60	MODERATE	-	2.8	1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
idna	CVE-2024-3651	MODERATE	-	2.8	-
requests	PYSEC-2023-74	MODERATE	-	2.22.0	74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests	GHSA-j8r2-6x86-q33q	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.22.0	2.31.0
requests	CVE-2024-35195	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.22.0	-
requests	GHSA-9wx4-h78v-vm56	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.22.0	2.32.0
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.22.0	-
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.22.0	2.32.4
requests	CVE-2023-32681	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.22.0	-
urllib3	CVE-2020-26137	MODERATE	-	1.25.3	-
urllib3	CVE-2024-37891	MODERATE	Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3	1.25.3	-
urllib3	GHSA-34jh-p97f-mpxf	MODERATE	urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects	1.25.3	1.26.19
urllib3	GHSA-g4mx-q9vg-27p4	MODERATE	urllib3's request body not stripped after redirect from 303 status changes request method to GET	1.25.3	2.0.7
urllib3	GHSA-wqvq-5m8c-6g24	MODERATE	CRLF injection in urllib3	1.25.3	1.25.9
urllib3	PYSEC-2020-148	MODERATE	-	1.25.3	1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
urllib3	CVE-2023-45803	MODERATE	Request body not stripped after redirect in urllib3	1.25.3	-
urllib3	CVE-2025-50181	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	1.25.3	-
urllib3	GHSA-pq67-6m6q-mj2v	MODERATE	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation	1.25.3	2.5.0
urllib3	PYSEC-2023-212	MODERATE	-	1.25.3	4e98d57809dacab1cbe625fddeec1a290c478ea9

⚠️ Dependencies that have Reached EOL (6)

Dependency	Unsafe Version	EOL Date	New Version	Path
certifi	2019.6.16	-	2026.2.25	log-downloader/requirements.txt
chardet	3.0.4	-	5.2.0	log-downloader/requirements.txt
datadog	0.29.3	-	0.52.1	log-downloader/requirements.txt
idna	2.8	-	2.9	log-downloader/requirements.txt
requests	2.22.0	-	2.32.5	log-downloader/requirements.txt
urllib3	1.25.3	-	2.6.3	log-downloader/requirements.txt

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System