CVE-2025-66471
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | urllib3 | From 1.0 (inc) to 2.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability in urllib3's Streaming API occurs when handling highly compressed HTTP response data. The decompression logic can cause the library to fully decode a small amount of highly compressed data in a single operation, leading to excessive resource consumption such as high CPU usage and large memory allocation. This happens because the streaming API reads compressed data in chunks and decompresses it until the requested chunk size is met, but the decompression can unexpectedly expand the data size significantly.
How can this vulnerability impact me? :
The vulnerability can lead to excessive resource consumption on systems using urllib3 to handle HTTP responses. This means that an attacker could cause high CPU usage and massive memory allocation, potentially leading to denial of service or degraded performance of applications relying on urllib3 for HTTP streaming.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for excessive CPU usage and large memory allocation when urllib3 is handling compressed HTTP responses, especially when streaming small chunks of data. Since the vulnerability causes resource exhaustion during decompression of highly compressed data, you can look for unusually high resource consumption by processes using urllib3. Specific commands are not provided in the resources, but general approaches include using system monitoring tools like 'top', 'htop', or 'ps' to identify high CPU or memory usage by Python processes. Additionally, inspecting the version of urllib3 installed can help detect vulnerable installations by running 'pip show urllib3' or 'pip list | grep urllib3' to check if the version is >= 1.0 and < 2.6.0, which are vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade urllib3 to version 2.6.0 or later, which includes fixes that prevent decompressing data beyond the requested amount and introduces safer decompression methods. If your application uses Brotli encoding, also upgrade the Brotli dependencies to version 1.2.0 or higher (brotli and brotlicffi). Installing urllib3 with the optional 'urllib3[brotli]' extra is recommended to automatically manage compatible Brotli packages. Additionally, update any custom decompressors to comply with the new ContentDecoder API changes. As a best practice, configure urllib3 to stream responses of large or unknown length by setting 'preload_content=False' to avoid loading entire responses into memory. [1, 2]