CVE-2025-66418

NameCVE-2025-66418
Descriptionurllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4421-1
Debian Bugs1122030

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)bullseye1.26.5-1~exp1vulnerable
bullseye (security)1.26.5-1~exp1+deb11u2fixed
bookworm1.26.12-1+deb12u1vulnerable
trixie2.3.0-3vulnerable
forky, sid2.5.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3sourcebullseye1.26.5-1~exp1+deb11u2DLA-4421-1
python-urllib3source(unstable)(unfixed)1122030

Notes

https://www.openwall.com/lists/oss-security/2025/12/05/4
https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
Fixed by: https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 (2.6.0)
Search for package or bug name: Reporting problems