CVE-2025-66418

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.24 through 2.5.9

Description urllib3 is a user-friendly HTTP client library for Python. In versions starting from 1.24 and prior to 2.6.0, the decompression chain had an unbounded number of links. This allowed a malicious server to insert a virtually unlimited number of compression steps, leading to high CPU usage and substantial memory allocation during decompression of the data. This issue can potentially lead to denial-of-service conditions.

Recommendations urllib3 versions prior to 2.6.0 should be updated to version 2.6.0 or later.