Vulnerability Details CVE-2025-66418
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.7%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2025-66418
-
cpe:2.3:a:python:urllib3:1.24
-
cpe:2.3:a:python:urllib3:1.24.1
-
cpe:2.3:a:python:urllib3:1.24.2
-
cpe:2.3:a:python:urllib3:1.24.3
-
cpe:2.3:a:python:urllib3:1.25
-
cpe:2.3:a:python:urllib3:1.25.1
-
cpe:2.3:a:python:urllib3:1.25.10
-
cpe:2.3:a:python:urllib3:1.25.11
-
cpe:2.3:a:python:urllib3:1.25.2
-
cpe:2.3:a:python:urllib3:1.25.3
-
cpe:2.3:a:python:urllib3:1.25.4
-
cpe:2.3:a:python:urllib3:1.25.5
-
cpe:2.3:a:python:urllib3:1.25.6
-
cpe:2.3:a:python:urllib3:1.25.7
-
cpe:2.3:a:python:urllib3:1.25.8
-
cpe:2.3:a:python:urllib3:1.25.9
-
cpe:2.3:a:python:urllib3:1.26.0
-
cpe:2.3:a:python:urllib3:1.26.1
-
cpe:2.3:a:python:urllib3:1.26.10
-
cpe:2.3:a:python:urllib3:1.26.11
-
cpe:2.3:a:python:urllib3:1.26.12
-
cpe:2.3:a:python:urllib3:1.26.13
-
cpe:2.3:a:python:urllib3:1.26.14
-
cpe:2.3:a:python:urllib3:1.26.15
-
cpe:2.3:a:python:urllib3:1.26.16
-
cpe:2.3:a:python:urllib3:1.26.17
-
cpe:2.3:a:python:urllib3:1.26.18
-
cpe:2.3:a:python:urllib3:1.26.19
-
cpe:2.3:a:python:urllib3:1.26.2
-
cpe:2.3:a:python:urllib3:1.26.20
-
cpe:2.3:a:python:urllib3:1.26.3
-
cpe:2.3:a:python:urllib3:1.26.4
-
cpe:2.3:a:python:urllib3:1.26.5
-
cpe:2.3:a:python:urllib3:1.26.6
-
cpe:2.3:a:python:urllib3:1.26.7
-
cpe:2.3:a:python:urllib3:1.26.8
-
cpe:2.3:a:python:urllib3:1.26.9
-
cpe:2.3:a:python:urllib3:2.0.0
-
cpe:2.3:a:python:urllib3:2.0.0a1
-
cpe:2.3:a:python:urllib3:2.0.0a2
-
cpe:2.3:a:python:urllib3:2.0.0a3
-
cpe:2.3:a:python:urllib3:2.0.0a4
-
cpe:2.3:a:python:urllib3:2.0.1
-
cpe:2.3:a:python:urllib3:2.0.2
-
cpe:2.3:a:python:urllib3:2.0.3
-
cpe:2.3:a:python:urllib3:2.0.4
-
cpe:2.3:a:python:urllib3:2.0.5
-
cpe:2.3:a:python:urllib3:2.0.6
-
cpe:2.3:a:python:urllib3:2.0.7
-
cpe:2.3:a:python:urllib3:2.1.0
-
cpe:2.3:a:python:urllib3:2.2.0
-
cpe:2.3:a:python:urllib3:2.2.1
-
cpe:2.3:a:python:urllib3:2.2.2
-
cpe:2.3:a:python:urllib3:2.2.3
-
cpe:2.3:a:python:urllib3:2.3.0
-
cpe:2.3:a:python:urllib3:2.4.0
-
cpe:2.3:a:python:urllib3:2.5.0