CVE-2025-66418

EUVD-2025-201421
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
pythonurllib3
1.24 ≤
𝑥
< 2.6.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-urllib3
bookworm
vulnerable
bookworm (security)
1.26.12-1+deb12u3
fixed
bullseye
vulnerable
bullseye (security)
1.26.5-1~exp1+deb11u3
fixed
forky
2.6.3-1
fixed
sid
2.6.3-1
fixed
trixie
vulnerable
trixie (security)
2.3.0-3+deb13u1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53