How to fix CVE-2025-66418?

Within 24 hours: Inventory all applications and services using urllib3 and identify those running versions 1.24-2.5.x; prioritize systems exposed to untrusted network sources. Within 7 days: Deploy urllib3 2.6.0 or later across all development, staging, and production environments; validate application functionality post-upgrade. Within 30 days: Complete a full audit of the software supply chain to ensure all dependencies are updated and establish an automated dependency management process to catch future vulnerabilities.

Is Python affected by CVE-2025-66418?

urllib3, a widely-used Python HTTP library, contains a denial-of-service vulnerability that allows malicious servers to consume excessive CPU and memory resources through unbounded compression chains.

CVE-2025-66418

EUVD-2025-201421 HIGH

2025-12-05 [email protected]

GHSA-gm62-xv2j-4w53

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201421

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

Patch Released

Mar 15, 2026 - 17:08 nvd

Patch available

CVE Published

Dec 05, 2025 - 16:15 nvd

HIGH 7.5

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Analysis

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

Affected Products

Affected products: Python Urllib3

Remediation

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

python-urllib3

Release	Status	Version
upstream	needs-triage	-
bionic	not-affected	code not present
focal	released	1.25.8-2ubuntu0.4+esm2
jammy	released	1.26.5-1~exp1ubuntu0.4
trusty	not-affected	code not present
xenial	not-affected	code not present
noble	released	2.0.7-1ubuntu0.3
plucky	released	2.3.0-2ubuntu0.2
questing	released	2.3.0-3ubuntu0.1

python-pip

Release	Status	Version
upstream	needs-triage	-
bionic	not-affected	code not present
jammy	needed	-
noble	needed	-
questing	needed	-
trusty	not-affected	code not present
xenial	not-affected	code not present
plucky	ignored	end of life, was needed
focal	released	20.0.2-5ubuntu1.11+esm4

USN-7927-1 USN-8010-1

Debian

Bug #1122030

python-urllib3

Release	Status	Fixed Version	Urgency
bullseye	fixed	1.26.5-1~exp1+deb11u2	-
bullseye (security)	fixed	1.26.5-1~exp1+deb11u3	-
bookworm	fixed	1.26.12-1+deb12u2	-
bookworm (security)	fixed	1.26.12-1+deb12u3	-
trixie (security), trixie	fixed	2.3.0-3+deb13u1	-
forky, sid	fixed	2.6.3-1	-
trixie	fixed	2.3.0-3+deb13u1	-
(unstable)	fixed	2.5.0-1.1	-

DLA-4421-1 DSA-6102-1

CVE-2025-66418 vulnerability details – vuln.today

Back

CVE-2025-66418

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-66418

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code