CVE-2025-66418

CWE-770 — Allocation without Limits14 documents9 sources

Severity

8.9HIGH

EPSS

0.0%

top 90.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Urllib3 Urllib3 Urllib3

Timeline

PublishedDec 5

Latest updateFeb 4

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages5 packages

▶NVDpython/urllib31.24 — 2.6.0

▶Debianpython-urllib3< 1.26.5-1~exp1+deb11u2+3

▶Ubuntupython-urllib3< 1.26.5-1~exp1ubuntu0.4+7

▶PyPIurllib31.24 — 2.6.0

▶CVEListV5urllib3/urllib3>= 1.24, < 2.6.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

python-urllib3 regression↗2026-01-13

▶

OSV

python-urllib3 regression↗2026-01-12

▶

OSV

python-urllib3 vulnerabilities↗2025-12-11

▶

OSV

urllib3 allows an unbounded number of links in the decompression chain↗2025-12-05

▶

CVEList

urllib3 allows an unbounded number of links in the decompression chain↗2025-12-05

▶

📋Vendor Advisories

Ubuntu

pip vulnerabilities↗2026-02-04

▶

Oracle

Oracle Oracle Communications Risk Matrix: Mediation Engine (urllib3) — CVE-2025-66418↗2026-01-15

▶

Ubuntu

urllib3 vulnerabilities↗2025-12-11

▶

Microsoft

urllib3 allows an unbounded number of links in the decompression chain↗2025-12-09

▶

Red Hat

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion↗2025-12-05

▶