DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2025-66418

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-66418

Severity

Unknown

Summary

urllib3 allows an unbounded number of links in the decompression chain

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-66418
  • https://github.com/advisories/GHSA-gm62-xv2j-4w53
  • https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66418.json
  • https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
  • https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal