CVE-2025-66418 HIGH

CVE-2025-66418: urllib3 allows an unbounded number of links in the decompression chain

Vendor Urllib3
Product urllib3
Weakness CWE-770 · Uncontrolled resource consumption
Published December 5, 2025
Last update December 5, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

What the vulnerability does

01Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 5, 2025 Record updated