urllib3 allows an unbounded number of links in the decompression chain
CVE-2025-66418

8.9HIGH

Key Information:

Vendor: Urllib3
Status: Urllib3
Vendor: CVE Published:; 5 December 2025

What is CVE-2025-66418?

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Affected Version(s)

urllib3 >= 1.24, < 2.6.0

References

https://github.com/urllib3/urllib3/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/urllib3/urllib3/commit/24d7b67eac89f94...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2025
Vulnerability Reserved
Nov 28, 2025

JSON

Urllib3

What is CVE-2025-66418?

Affected Version(s)

References

CVSS V4

Timeline