urllib3 allows an unbounded number of links in the decompression...

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

AI Analysis

Unbounded decompression chain vulnerability in urllib3

Basic Information

ID CVE-2025-66418

Source GitHub_M

Published Dec 5, 2025 at 16:02

Modified Dec 5, 2025 at 18:15

Affected Product

Vendor urllib3

Product urllib3

Version >= 1.24, < 2.6.0

Affected Versions urllib3 urllib3 >= 1.24, < 2.6.0

CWE Classification

CWE-770

AI Assessment

AI Score 8.9 / 10

AI Severity High

Vendor urllib3

Product urllib3

Version 1.24 to 2.6.0

References

{
    "lastseen": "",
    "description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.",
    "published": "2025-12-05T16:02:15.271Z",
    "modified": "2025-12-05T18:15:28.505Z",
    "type": "cve",
    "title": "urllib3 allows an unbounded number of links in the decompression chain",
    "source": "GitHub_M",
    "references": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53\nhttps://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8",
    "id": "CVE-2025-66418",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "urllib3 urllib3 >= 1.24, < 2.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "urllib3",
    "version": ">= 1.24, < 2.6.0",
    "vendor": "urllib3",
    "ai_description": "Unbounded decompression chain vulnerability in urllib3",
    "ai_severity": "High",
    "ai_vendor": "urllib3",
    "ai_product": "urllib3",
    "ai_version": "1.24 to 2.6.0",
    "ai_score": 8.9
}

urllib3 allows an unbounded number of links in the decompression chain_CVE-2025-66418