CVE-2025-66418 – This vulnerability in urllib3 allows a maliciou... (How to Fix)

📋 TL;DR

This vulnerability in urllib3 allows a malicious HTTP server to send specially crafted compressed responses that cause excessive CPU usage and memory allocation during decompression. It affects Python applications using urllib3 version 1.24 through 2.5.x to make HTTP requests. The attack can lead to denial of service through resource exhaustion.

💻 Affected Systems

Products:

urllib3

Versions: 1.24 through 2.5.x

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Any Python application using vulnerable urllib3 versions to make HTTP requests is affected.

📦 What is this software?

Urllib3 by Python

View all CVEs affecting Urllib3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through CPU and memory exhaustion, potentially crashing the application or server.

🟠

Likely Case

Degraded performance and resource exhaustion affecting application availability.

🟢

If Mitigated

Limited impact with proper network segmentation and request filtering.

🌐 Internet-Facing: HIGH - Applications making HTTP requests to external servers are directly exposed.

🏢 Internal Only: MEDIUM - Internal services could be compromised if an attacker gains access to internal infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires control over the HTTP server response, making it server-side initiated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.0

Vendor Advisory: https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Restart Required: Yes

Instructions:

1. Update urllib3: pip install --upgrade urllib3>=2.6.0
2. Restart all Python applications using urllib3
3. Verify the update with: pip show urllib3

🔧 Temporary Workarounds

Limit compression chain depth

all

Configure urllib3 to limit the maximum decompression chain length

import urllib3
http = urllib3.PoolManager(max_decompression_chains=10)

Disable compression

all

Disable automatic decompression of HTTP responses

import urllib3
http = urllib3.PoolManager(automatic_decompression=False)

🧯 If You Can't Patch

Implement network controls to restrict HTTP requests to trusted servers only
Deploy rate limiting and resource monitoring to detect abnormal resource consumption

🔍 How to Verify

Check if Vulnerable:

Check urllib3 version: python -c "import urllib3; print(urllib3.__version__)"

Check Version:

python -c "import urllib3; print(urllib3.__version__)"

Verify Fix Applied:

Verify version is 2.6.0 or higher: python -c "import urllib3; print('Vulnerable' if urllib3.__version__ < '2.6.0' else 'Patched')"

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage by Python processes
Memory allocation spikes during HTTP requests
Application crashes or timeouts during HTTP operations

Network Indicators:

HTTP responses with multiple compression headers
Unusual traffic patterns to/from Python applications

SIEM Query:

source="application.logs" AND ("urllib3" OR "HTTP request") AND ("high cpu" OR "memory spike" OR "decompression")

📊 Metadata

CVE ID: CVE-2025-66418

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.03% exploit probability (7.7th percentile)

Published: December 5, 2025

Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66418, you might also want to check these: