CVE-2025-66471 – CVE-2025-66471 is a resource exhaustion vulnera... (How to Fix)

📋 TL;DR

CVE-2025-66471 is a resource exhaustion vulnerability in urllib3's streaming API that occurs when processing highly compressed HTTP responses. Attackers can send specially crafted compressed data causing excessive CPU usage and memory allocation, potentially leading to denial of service. This affects Python applications using urllib3 version 1.0 through 2.5.x for HTTP client operations.

💻 Affected Systems

Products:

urllib3

Versions: 1.0 through 2.5.x

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using urllib3's streaming API with compressed responses. Standard non-streaming usage is not vulnerable.

📦 What is this software?

Urllib3 by Python

View all CVEs affecting Urllib3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through resource exhaustion, crashing applications or servers due to memory exhaustion and high CPU utilization.

🟠

Likely Case

Degraded application performance, increased latency, and potential service disruption under targeted attacks.

🟢

If Mitigated

Minimal impact with proper monitoring and resource limits in place, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH - Any internet-facing service using vulnerable urllib3 versions can be targeted with crafted HTTP responses.

🏢 Internal Only: MEDIUM - Internal services are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending compressed HTTP responses to vulnerable clients. No authentication needed as this targets client-side processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.0

Vendor Advisory: https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37

Restart Required: Yes

Instructions:

1. Update urllib3: pip install --upgrade urllib3>=2.6.0
2. Restart all Python applications using urllib3
3. Verify no applications are pinned to vulnerable versions

🔧 Temporary Workarounds

Disable response compression

all

Configure HTTP clients to not accept compressed responses by removing compression headers

# In Python code: headers={'Accept-Encoding': 'identity'}

Limit response sizes

all

Implement maximum response size limits to prevent memory exhaustion

# In Python code: response = requests.get(url, stream=True, max_content_length=10485760)

🧯 If You Can't Patch

Implement network-level controls to filter or limit compressed HTTP responses
Deploy resource monitoring and alerting for abnormal memory/CPU usage patterns

🔍 How to Verify

Check if Vulnerable:

Check urllib3 version: python -c "import urllib3; print(urllib3.__version__)" and verify it's between 1.0 and 2.5.x

Check Version:

python -c "import urllib3; print('urllib3 version:', urllib3.__version__)"

Verify Fix Applied:

Verify urllib3 version is 2.6.0 or higher: python -c "import urllib3; print(urllib3.__version__)"

📡 Detection & Monitoring

Log Indicators:

Abnormally high memory usage in Python processes
Increased CPU utilization during HTTP response processing
Application crashes or restarts during HTTP operations

Network Indicators:

Unusually large HTTP responses with compression headers
Multiple compressed responses to single client

SIEM Query:

source="application_logs" AND ("memory allocation failed" OR "high cpu" OR "urllib3") AND process="python"

📊 Metadata

CVE ID: CVE-2025-66471

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

EPSS Score: 0.03% exploit probability (7th percentile)

Published: December 5, 2025

Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66471, you might also want to check these: