ultimate-sitemap-parser gzip decompression bomb vulnerability

A gzip decompression bomb vulnerability was discovered. The library enforces a 100 MiB size limit on sitemap responses but applies it only to compressed bytes. When a .gz sitemap is fetched, decompression occurs without an output-size cap, allowing a small compressed payload (~549 KB) to expand to over 120 MiB in memory, bypassing the limit and potentially causing denial of service.

Any application that calls sitemap_tree_for_homepage() against an attacker-controlled or compromised domain. This includes SEO tools, search engine crawlers, indexing services, web frameworks, and automated pipelines that crawl third-party sitemaps.

Apply the remediation patch: modify gunzip() in usp/helpers.py to accept a max_output_bytes parameter and enforce it during decompression, and pass the max uncompressed size from fetch_parse.py. Alternatively, upgrade to a patched version if available.