CVE-2025-66471

CWE-40914 documents8 sources
Severity
8.9HIGH
EPSS
0.0%
top 91.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python Urllib3Urllib3 Urllib3
Timeline
PublishedDec 5
Latest updateJan 13

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, b

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages5 packages

NVDpython/urllib31.02.6.0
Debianpython-urllib3< 2.6.3-1
Ubuntupython-urllib3< 2.0.7-1ubuntu0.6+3
PyPIurllib31.02.6.0
CVEListV5urllib3/urllib3>= 1.0, < 2.6.0

Patches

Patch: github.com

🔴Vulnerability Details

7
OSV
python-urllib3 regression2026-01-13
OSV
python-urllib3 regression2026-01-12
OSV
python-urllib3 vulnerabilities2025-12-11
OSV
CVE-2025-66471: urllib3 is a user-friendly HTTP client library for Python2025-12-05
CVEList
urllib3 Streaming API improperly handles highly compressed data2025-12-05

📋Vendor Advisories

6
Ubuntu
urllib3 regression2026-01-13
Ubuntu
urllib3 regression2026-01-12
Ubuntu
urllib3 vulnerabilities2025-12-11
Microsoft
urllib3 Streaming API improperly handles highly compressed data2025-12-09
Red Hat
urllib3: urllib3 Streaming API improperly handles highly compressed data2025-12-05
CVE-2025-66471 (HIGH CVSS 8.9) | urllib3 is a user-friendly HTTP cli | cvebase.io