VYPR
High severityNVD Advisory· Published Dec 5, 2025· Updated Dec 5, 2025

urllib3 allows an unbounded number of links in the decompression chain

CVE-2025-66418

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
urllib3PyPI
>= 1.24, < 2.6.02.6.0

Affected products

320

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.