CVE-2025-66418
Public on 2025-12-05
Modified on 2025-12-08
Description
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python-pip | Pending Fix | ||
| Amazon Linux 2023 | python-pip | Pending Fix | ||
| Amazon Linux 2 - Core | python-urllib3 | Pending Fix | ||
| Amazon Linux 2023 | python-urllib3 | Pending Fix | ||
| Amazon Linux 2 - Core | python3-urllib3 | Pending Fix | ||
| Amazon Linux 2023 | python3.11-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.12-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.13-pip | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |