{"id":"ALPINE-CVE-2025-66418","details":"urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.","modified":"2026-03-09T01:21:27.627105Z","published":"2025-12-05T16:15:51.053Z","upstream":["CVE-2025-66418"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2025-66418"}],"affected":[{"package":{"name":"py3-urllib3","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/py3-urllib3?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.6.3-r0"}]}],"versions":["1.18-r0","1.21.1-r0","1.22-r0","1.24.1-r0","1.24.1-r1","1.24.2-r0","1.25.1-r0","1.25.10-r0","1.25.11-r0","1.25.2-r0","1.25.3-r0","1.25.5-r0","1.25.6-r0","1.25.6-r1","1.25.7-r0","1.25.7-r1","1.25.8-r0","1.25.9-r0","1.26.0-r0","1.26.1-r0","1.26.10-r0","1.26.11-r0","1.26.12-r0","1.26.12-r1","1.26.13-r0","1.26.14-r0","1.26.15-r0","1.26.15-r1","1.26.15-r2","1.26.16-r0","1.26.17-r0","1.26.18-r0","1.26.18-r1","1.26.2-r0","1.26.2-r1","1.26.20-r0","1.26.3-r0","1.26.4-r0","1.26.4-r1","1.26.5-r0","1.26.6-r0","1.26.7-r0","1.26.7-r1","1.26.8-r0","1.26.9-r0","2.0.2-r0","2.5.0-r0"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2025-66418.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}