CVE-2025-66418
Excessive Resource Consumption vulnerability in urllib3 (PyPI)
What is CVE-2025-66418 About?
This vulnerability in urllib3 allows for excessive resource consumption due to an unbounded number of chained HTTP encoding algorithms. A malicious server can insert a virtually unlimited number of compression steps, leading to high CPU usage and massive memory allocation. Exploitation is relatively easy by a hostile server providing specially crafted HTTP responses.
Affected Software
Technical Details
urllib3 versions 2.5.0 and earlier support chained HTTP encoding algorithms for response content, adhering to RFC 9110 (e.g., Content-Encoding: gzip, zstd). The vulnerability arises because the library did not impose a limit on the number of links within this decompression chain. This oversight allows a malicious server to respond with a Content-Encoding header specifying an arbitrarily long chain of compression algorithms. When urllib3 attempts to decompress this response, it continuously applies decompression steps, leading to a massive expansion of the data and consequently, excessive CPU utilization and memory allocation on the client system, causing a denial-of-service.
What is the Impact of CVE-2025-66418?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to system unresponsiveness, crashes, or instability due to excessive resource allocation.
What is the Exploitability of CVE-2025-66418?
Exploitation requires remote access, as an attacker must control a malicious server that provides HTTP responses with a long chain of Content-Encoding headers. There are no authentication or specific privilege requirements on the client and the vulnerability can be triggered via standard HTTP requests if the client application uses urllib3 to fetch content from untrusted sources. The complexity is low, as it leverages a structural oversight in Content-Encoding processing rather than complex code injection. The primary risk factor is client applications making HTTP requests to untrusted or compromised web servers that can manipulate response headers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66418?
About the Fix from Resolved Security
This patch limits the number of chained HTTP content encodings to five by raising a DecodeError if more are present in the Content-Encoding header. This prevents excessive memory or CPU usage from deeply nested or maliciously crafted encodings, thus fixing CVE-2025-66418, which allowed denial of service through resource exhaustion attacks.
Available Upgrade Options
- urllib3
- >=1.24, <2.6.0 → Upgrade to 2.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-66418
- https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
- https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
- https://osv.dev/vulnerability/GHSA-gm62-xv2j-4w53
- https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
- https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
- https://github.com/urllib3/urllib3
What are Similar Vulnerabilities to CVE-2025-66418?
Similar Vulnerabilities: CVE-2025-66471 , CVE-2022-XXXXX , CVE-2021-YYYYY , CVE-2020-ZZZZZ , CVE-2019-AAAAA
