CVE-2025-66471
Excessive Resource Consumption vulnerability in urllib3 (PyPI)
What is CVE-2025-66471 About?
This vulnerability in urllib3's streaming API can lead to excessive resource consumption when streaming highly compressed HTTP responses. It allows a remote attacker to cause high CPU usage and massive memory allocation on the client. Exploitation is relatively easy as it leverages common HTTP streaming mechanisms with crafted compressed data.
Affected Software
Technical Details
urllib3's streaming API reads HTTP response content in chunks, designed for efficiency with large responses. When a compressed response is streamed, urllib3 decodes it based on the Content-Encoding header. The vulnerability arises because the decompression logic can fully decode a small amount of highly compressed data in a single operation, leading to a significant expansion ratio. This causes the client to allocate massive amounts of memory and CPU cycles to handle the unexpectedly large decompressed data, even if only a small chunk was requested, resulting in a denial-of-service condition due to disproportionate resource usage.
What is the Impact of CVE-2025-66471?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to system unresponsiveness, crashes, or instability due to excessive resource allocation.
What is the Exploitability of CVE-2025-66471?
Exploitation requires remote access, as an attacker would need to control a malicious server that provides specially crafted, highly compressed HTTP responses. There are no authentication or specific privilege requirements on the client and the vulnerability can be triggered via standard HTTP requests if the client application uses urllib3 to stream untrusted content. The complexity is low as it relies on the intrinsic behavior of decompression algorithms combined with client-side resource management oversights. The primary risk factor is the application's interaction with untrusted remote servers and its reliance on the default streaming and decompression behavior of urllib3.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66471?
About the Fix from Resolved Security
Available Upgrade Options
- urllib3
- >=1.0, <2.6.0 → Upgrade to 2.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7
- https://osv.dev/vulnerability/GHSA-2xpw-w6gg-jr37
- https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
- https://nvd.nist.gov/vuln/detail/CVE-2025-66471
- https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
- https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7
- https://github.com/urllib3/urllib3
What are Similar Vulnerabilities to CVE-2025-66471?
Similar Vulnerabilities: CVE-2025-66418 , CVE-2022-XXXXX , CVE-2021-YYYYY , CVE-2020-ZZZZZ , CVE-2019-AAAAA
