CVE-2025-66418
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66418
EUVD
EUVD-2025-201421
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python urllib3 From 1.24 (inc) to 2.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in urllib3 versions from 1.24 up to but not including 2.6.0 allows a malicious server to create an unbounded number of compression steps in the decompression chain. This leads to excessive CPU usage and massive memory allocation when decompressing data, potentially causing performance degradation or denial of service.

Impact Analysis

The vulnerability can cause high CPU usage and large memory consumption on systems using affected versions of urllib3 when processing maliciously crafted compressed data. This can degrade system performance, cause application crashes, or lead to denial of service.

Mitigation Strategies

Update urllib3 to version 2.6.0 or later, as this version contains the fix for the vulnerability.

Detection Guidance

To detect this vulnerability on your system, you can check the version of urllib3 installed to see if it is >=1.24 and <2.6.0, which are vulnerable versions. For example, run the command `pip show urllib3` or `pip list | grep urllib3` to find the installed version. Additionally, to detect exploitation attempts on your network, monitor HTTP responses for the `Content-Encoding` header containing an excessive number of chained encodings (more than 5). You can use tools like `tcpdump` or `Wireshark` to capture HTTP traffic and filter for suspicious `Content-Encoding` headers. For example, using `tcpdump` to capture HTTP traffic: `tcpdump -A -s 0 'tcp port 80' | grep -i 'Content-Encoding'`. Then manually inspect if the header contains more than 5 encodings separated by commas. If you are processing HTTP responses in your application, you can add logging to check the length of the encoding chain in the `Content-Encoding` header before decompression. If immediate upgrade is not possible, disable automatic content decoding by setting `preload_content=False` and manually verify the number of encodings in the header to avoid resource exhaustion. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart