CVE-2025-66418

Aliases:GHSA-gm62-xv2j-4w53

Advisory lineage Upstream: 0 Downstream: 62

Downstream

ALPINE-CVE-2025-66418 DEBIAN-CVE-2025-66418 MGASA-2026-0011 OPENSUSE-SU-2026:10026-1 OPENSUSE-SU-2026:10096-1 OPENSUSE-SU-2026:10431-1

Analyzed

Published: 05 Dec 2025, 16:02

Last modified:05 Dec 2025, 18:15

Vulnerability Summary

Overall Risk (default)

medium

36/100

CVSS Score

8.9 HIGH

v4.0 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

05 Dec 2025, 16:02

Published

Vulnerability first disclosed

05 Dec 2025, 18:15

Last Modified

Vulnerability information updated

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

CVSS Metrics

v4.0•HIGH•Score: 8.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
v4.0•HIGH•Score: 8.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 6%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

PyPI•urllib3
≥ 1.24, < 2.6.0
python•urllib3
≥ 1.24, < 2.6.0
urllib3•urllib3
≥ 1.24, < 2.6.0