CVE-2025-66418
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | urllib3 | From 1.24 (inc) to 2.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in urllib3 versions from 1.24 up to but not including 2.6.0 allows a malicious server to create an unbounded number of compression steps in the decompression chain. This leads to excessive CPU usage and massive memory allocation when decompressing data, potentially causing performance degradation or denial of service.
How can this vulnerability impact me? :
The vulnerability can cause high CPU usage and large memory consumption on systems using affected versions of urllib3 when processing maliciously crafted compressed data. This can degrade system performance, cause application crashes, or lead to denial of service.
What immediate steps should I take to mitigate this vulnerability?
Update urllib3 to version 2.6.0 or later, as this version contains the fix for the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check the version of urllib3 installed to see if it is >=1.24 and <2.6.0, which are vulnerable versions. For example, run the command `pip show urllib3` or `pip list | grep urllib3` to find the installed version. Additionally, to detect exploitation attempts on your network, monitor HTTP responses for the `Content-Encoding` header containing an excessive number of chained encodings (more than 5). You can use tools like `tcpdump` or `Wireshark` to capture HTTP traffic and filter for suspicious `Content-Encoding` headers. For example, using `tcpdump` to capture HTTP traffic: `tcpdump -A -s 0 'tcp port 80' | grep -i 'Content-Encoding'`. Then manually inspect if the header contains more than 5 encodings separated by commas. If you are processing HTTP responses in your application, you can add logging to check the length of the encoding chain in the `Content-Encoding` header before decompression. If immediate upgrade is not possible, disable automatic content decoding by setting `preload_content=False` and manually verify the number of encodings in the header to avoid resource exhaustion. [2, 1]