Unbounded Decompression Chain in urllib3 HTTP Client Library by Python
CVE-2025-66418

8.9HIGH

Key Information:

Vendor

Urllib3

Status
Urllib3
Vendor
CVE Published:
5 December 2025

What is CVE-2025-66418?

The urllib3 library, a widely-used HTTP client for Python, has a vulnerability that allows a malicious server to exploit it through an unbounded decompression chain. This could lead to excessive CPU consumption and substantial memory allocation as it processes an unlimited number of compression steps. Users are strongly advised to upgrade to version 2.6.0 or later to mitigate these risks.

Affected Version(s)

urllib3 >= 1.24, < 2.6.0

References

https://github.com/urllib3/urllib3/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/urllib3/urllib3/commit/24d7b67eac89f94...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.