{"id":"CVE-2025-66418","summary":"urllib3 allows an unbounded number of links in the decompression chain","details":"urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.","aliases":["GHSA-gm62-xv2j-4w53"],"modified":"2026-04-11T12:47:44.409847Z","published":"2025-12-05T16:02:15.271Z","related":["ALSA-2026:1086","ALSA-2026:1087","ALSA-2026:1088","ALSA-2026:1089","ALSA-2026:1224","ALSA-2026:1226","ALSA-2026:1239","ALSA-2026:1254","CGA-w59h-375r-3v44","MGASA-2026-0011","SUSE-SU-2026:0367-1","SUSE-SU-2026:0443-1","SUSE-SU-2026:0635-1","SUSE-SU-2026:20175-1","SUSE-SU-2026:20189-1","SUSE-SU-2026:20443-1","SUSE-SU-2026:20485-1","SUSE-SU-2026:20591-1","openSUSE-SU-2026:10026-1","openSUSE-SU-2026:10096-1","openSUSE-SU-2026:10431-1","openSUSE-SU-2026:20127-1","openSUSE-SU-2026:20271-1"],"database_specific":{"cwe_ids":["CWE-770"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66418.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66418.json"},{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66418"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"ef0c74542abe69421a86c4d3c6a86fe43cb809a4"},{"fixed":"720f484b605f18887a48eef448d0084e2b76902d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66418.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}