CVE-2025-66471

| EUVD-2025-201419 HIGH
2025-12-05 [email protected] GHSA-2xpw-w6gg-jr37
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 17:08 euvd
EUVD-2025-201419
Analysis Generated
Mar 15, 2026 - 17:08 vuln.today
Patch Released
Mar 15, 2026 - 17:08 nvd
Patch available
CVE Published
Dec 05, 2025 - 17:16 nvd
HIGH 7.5

Tags

Information Disclosure Python Ubuntu Debian Urllib3 Redhat Suse

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Analysis

A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Technical Context

Vulnerability type not specified by vendor. CVSS 7.5 indicates high severity. Affects version 1.0 and.

Affected Products

['version 1.0 and']

Remediation

Apply the vendor-supplied patch immediately.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
python-urllib3
Release Status Version
upstream needs-triage -
bionic ignored changes too intrusive
focal ignored changes too intrusive
jammy ignored changes too intrusive
trusty ignored changes too intrusive
noble released 2.0.7-1ubuntu0.3
plucky released 2.3.0-2ubuntu0.2
questing released 2.3.0-3ubuntu0.1
xenial ignored changes too intrusive
python-pip
Release Status Version
upstream needs-triage -
bionic ignored changes too intrusive
focal ignored changes too intrusive
jammy ignored changes too intrusive
noble needed -
questing needed -
trusty ignored changes too intrusive
xenial ignored changes too intrusive
plucky ignored end of life, was needed
USN-7927-1 USN-7927-2 USN-7927-3

Debian

Bug #1122029
python-urllib3
Release Status Fixed Version Urgency
bullseye vulnerable 1.26.5-1~exp1 -
bullseye (security) vulnerable 1.26.5-1~exp1+deb11u3 -
bookworm vulnerable 1.26.12-1+deb12u1 -
bookworm (security) vulnerable 1.26.12-1+deb12u3 -
trixie (security), trixie vulnerable 2.3.0-3+deb13u1 -
forky, sid fixed 2.6.3-1 -
(unstable) fixed 2.6.3-1 -

Share

CVE-2025-66471 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy