PT-2025-49261 · Pypi+6 · Urllib3+6

Published

2025-01-01

·

Updated

2026-06-03

·

CVE-2025-66471

CVSS v4.0

8.9

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Name of the Vulnerable Software and Affected Versions urllib3 versions 1.0 through 2.5.16
Description urllib3 is a Python HTTP client library. Versions prior to 2.6.0 have an issue in the Streaming API where it improperly handles highly compressed data. The decompression logic can cause excessive resource consumption, including high CPU usage and large memory allocation, when processing compressed responses. The library attempts to read compressed data and decompress it to meet the requested chunk size, but can fully decode a small amount of highly compressed data in a single operation, leading to the resource exhaustion.
Recommendations Update to urllib3 version 2.6.0 or later.

Exploit

Fix

DoS

Weakness Enumeration

CWE-409

Related Identifiers

ALSA-2026:1086
ALSA-2026:1087
ALSA-2026:1088
ALSA-2026:1089
ALSA-2026:1224
ALSA-2026:1226
ALSA-2026:1239
ALSA-2026:1240
ALSA-2026:1241
ALSA-2026:1254
AZL-71837
AZL-71849
BDU:2026-03452
CVE-2025-66471
ECHO-C1CA-549F-F62B
GHSA-2XPW-W6GG-JR37
OESA-2026-1249
OESA-2026-1250
OESA-2026-1251
OESA-2026-1286
OESA-2026-1289
OESA-2026-1347
OPENSUSE-RU-2026:20649-1
OPENSUSE-SU-2026:10026-1
OPENSUSE-SU-2026:10096-1
OPENSUSE-SU-2026:20127-1
OPENSUSE-SU-2026:20271-1
RHSA-2026:1086
RHSA-2026:1087
RHSA-2026:1088
RHSA-2026:1089
RHSA-2026:11722
RHSA-2026:1224
RHSA-2026:1226
RHSA-2026:1239
RHSA-2026:1240
RHSA-2026:1241
RHSA-2026:1249
RHSA-2026:1254
RHSA-2026:1485
RHSA-2026:1497
RHSA-2026:1506
RHSA-2026:1546
RHSA-2026:1618
RHSA-2026:1619
RHSA-2026:1674
RHSA-2026:1676
RHSA-2026:1693
RHSA-2026:1704
RHSA-2026:1706
RHSA-2026:1712
RHSA-2026:1717
RHSA-2026:1726
RHSA-2026:1729
RHSA-2026:1734
RHSA-2026:1735
RHSA-2026:1791
RHSA-2026:1792
RHSA-2026:1793
RHSA-2026:1794
RHSA-2026:1795
RHSA-2026:1803
RHSA-2026:1805
RHSA-2026:1957
RHSA-2026:2060
RHSA-2026:2717
RHSA-2026:2718
RHSA-2026:2723
RHSA-2026:2728
RHSA-2026:2760
RHSA-2026:2764
RHSA-2026:2765
RHSA-2026:9031
SUSE-RU-2026:21397-1
SUSE-RU-2026:21430-1
SUSE-SU-2026:0367-1
SUSE-SU-2026:0443-1
SUSE-SU-2026:0635-1
SUSE-SU-2026:1067-1
SUSE-SU-2026:1412-1
SUSE-SU-2026:20175-1
SUSE-SU-2026:20189-1
SUSE-SU-2026:20443-1
SUSE-SU-2026:20485-1
SUSE-SU-2026:20591-1
USN-7927-1
USN-7927-2
USN-7927-3
USN-8344-1
USN-8344-2
USN-8344-3

Affected Products

Alt Linux
Debian
Linuxmint
Red Os
Rocky Linux
Ubuntu
Urllib3