Resource exhaustion in Urllib3

CVE-2025-66418

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of comp…

EPSS: 0.000 (5.9th percentile) — read the EPSS interpretation.

Affected products

Urllib3 — versions >= 1.24, < 2.6.0

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 (x_refsource_CONFIRM)
https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 (x_refsource_MISC)