CVE-2025-66418

CVE-2025-66418

Name

CVE-2025-66418

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
CONFIRM	https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Type

URI

MISC

https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8

CONFIRM

https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

CPE URI	Source package	Min version	Max version
	py3-urllib3	>= 1.24	< 2.6.0

CPE URI

Source package

Min version

Max version

py3-urllib3

>= 1.24

< 2.6.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-urllib3	edge-main	2.5.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.18-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.17-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	edge-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.23-main	2.6.3-r0	Francesco Colista <fcolista@alpinelinux.org>	fixed
py3-urllib3	3.23-main	2.5.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.22-main	1.26.20-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.22-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.22-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.20-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.21-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.21-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.26.18-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.19-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.25.9-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages