CVE-2025-66418 Overview
CVE-2025-66418 is a resource exhaustion vulnerability in urllib3, a widely-used HTTP client library for Python. The vulnerability exists in versions starting from 1.24 up to (but not including) 2.6.0. The flaw allows a malicious server to send HTTP responses with an unbounded number of compression steps in the decompression chain, leading to high CPU usage and massive memory allocation when the client attempts to decompress the data.
Critical Impact
A malicious server can exploit this vulnerability to cause denial of service conditions on any Python application using vulnerable urllib3 versions, potentially exhausting system resources through CPU and memory consumption during HTTP response decompression.
Affected Products
- Python urllib3 versions >= 1.24 and < 2.6.0
- Applications and frameworks depending on vulnerable urllib3 versions
- Python-based services making HTTP requests to untrusted servers
Discovery Timeline
- December 5, 2025 - CVE-2025-66418 published to NVD
- December 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66418
Vulnerability Analysis
This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling). The urllib3 library processes HTTP responses that may include compressed content using various encoding schemes such as gzip, deflate, or brotli. When handling responses with multiple layers of compression (a decompression chain), the library did not enforce any limit on the number of decompression steps that could be chained together.
A malicious server can craft an HTTP response with numerous nested compression layers. When a vulnerable urllib3 client receives this response, it will attempt to decompress each layer sequentially. Without bounds on the chain length, this can result in exponential resource consumption as the library allocates memory for intermediate decompression results and expends CPU cycles processing each compression step.
Root Cause
The root cause of this vulnerability is the absence of a maximum limit on the number of links allowed in the decompression chain. The urllib3 library's response handling code accepted an arbitrary number of Content-Encoding transformations without validating or restricting the total count. This design oversight allowed attackers to specify virtually unlimited compression steps, leading to resource exhaustion when the client processed the malicious response.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker must control or compromise a server that a vulnerable urllib3 client connects to. When the client makes an HTTP request to the malicious server, the server responds with a crafted response containing an excessive number of compression encoding headers. The client then attempts to process this response, triggering the resource exhaustion condition.
The attack scenario involves:
- Attacker sets up or compromises a web server
- Victim application using vulnerable urllib3 makes an HTTP request to the attacker-controlled server
- Server responds with deeply nested compression encodings
- urllib3 attempts to decompress all layers without limits
- Client system experiences high CPU usage and memory exhaustion
Detection Methods for CVE-2025-66418
Indicators of Compromise
- Unusual memory consumption spikes in Python processes making HTTP requests
- High CPU utilization associated with decompression operations in urllib3
- Application crashes or out-of-memory errors during HTTP response processing
- Network traffic containing HTTP responses with abnormally long or nested Content-Encoding headers
Detection Strategies
- Monitor Python application resource usage for unexpected spikes during HTTP operations
- Implement network inspection rules to detect HTTP responses with excessive Content-Encoding headers
- Use application performance monitoring (APM) tools to identify slow or resource-intensive HTTP decompression operations
- Audit installed Python packages to identify vulnerable urllib3 versions (>= 1.24 and < 2.6.0)
Monitoring Recommendations
- Deploy resource monitoring on systems running Python applications that make outbound HTTP requests
- Configure alerting thresholds for memory and CPU utilization anomalies
- Implement logging for HTTP client operations to capture response metadata including encoding information
- Use dependency scanning tools to continuously monitor for vulnerable urllib3 installations across your environment
How to Mitigate CVE-2025-66418
Immediate Actions Required
- Upgrade urllib3 to version 2.6.0 or later immediately
- Audit all Python applications and dependencies for urllib3 usage
- Review and update requirements files, Pipfile, pyproject.toml, or other dependency manifests
- Rebuild container images and deployment artifacts that include urllib3
Patch Information
The vulnerability has been fixed in urllib3 version 2.6.0. The fix introduces a limit on the number of decompression steps that can be chained together, preventing resource exhaustion attacks. The patch is available via the standard Python package managers.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-gm62-xv2j-4w53 and the GitHub Commit 24d7b67.
Workarounds
- Restrict outbound HTTP connections to trusted servers only where possible
- Implement network-level controls to filter responses with excessive compression headers
- Consider using a web application firewall (WAF) or proxy to inspect and limit HTTP response encoding chains
- If upgrading is not immediately possible, implement application-level timeouts and resource limits for HTTP operations
# Upgrade urllib3 to the patched version
pip install --upgrade "urllib3>=2.6.0"
# Verify the installed version
pip show urllib3 | grep Version
# For requirements.txt, update the dependency
# urllib3>=2.6.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
