oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 5 Dec 2025 10:52:54 -0800
https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
discloses:


Unbounded number of links in the decompression chain
====================================================

illia-v published GHSA-gm62-xv2j-4w53 Dec 5, 2025

Package: urllib3 (pip)
Affected versions: >=1.24,<2.6.0
Patched versions: 2.6.0

Description
===========

Impact
------

urllib3 supports chained HTTP encoding algorithms for response content
according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).

However, the number of links in the decompression chain was unbounded
allowing a malicious server to insert a virtually unlimited number of
compression steps leading to high CPU usage and massive memory
allocation for the decompressed data.

Affected usages
---------------

Applications and libraries using urllib3 version 2.5.0 and earlier for
HTTP requests to untrusted sources unless they disable content
decoding explicitly.

Remediation
-----------

Upgrade to at least urllib3 v2.6.0 in which the library limits the
number of links to 5.

If upgrading is not immediately possible, use preload_content=False
and ensure that resp.headers["content-encoding"] contains a safe
number of encodings before reading the response content.

Severity:  High  8.9 / 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVE ID: CVE-2025-66418
Weaknesses: Weakness CWE-770

Credits
-------
    @illia-v illia-v Reporter
    @sethmlarson sethmlarson Remediation reviewer
    @pquentin pquentin Remediation reviewer



https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
advises:


Streaming API improperly handles highly compressed data
=======================================================

illia-v published GHSA-2xpw-w6gg-jr37 Dec 5, 2025

Package: urllib3 (pip)
Affected versions: >=1.0,<2.6.0
Patched versions: 2.6.0

Description
===========

Impact
------

urllib3's streaming API is designed for the efficient handling of
large HTTP responses by reading the content in chunks, rather than
loading the entire response body into memory at once.

When streaming a compressed response, urllib3 can perform decoding or
decompression based on the HTTP Content-Encoding header (e.g., gzip,
deflate, br, or zstd). The library must read compressed data from the
network and decompress it until the requested chunk size is met. Any
resulting decompressed data that exceeds the requested amount is held
in an internal buffer for the next read operation.

The decompression logic could cause urllib3 to fully decode a small
amount of highly compressed data in a single operation. This can
result in excessive resource consumption (high CPU usage and massive
memory allocation for the decompressed data; CWE-409) on the client
side, even if the application only requested a small chunk of data.

Affected usages
---------------

Applications and libraries using urllib3 version 2.5.0 and earlier to
stream large compressed responses or content from untrusted sources.

stream(), read(amt=256), read1(amt=256), read_chunked(amt=256),
readinto(b) are examples of urllib3.HTTPResponse method calls using
the affected logic unless decoding is disabled explicitly.

Remediation
-----------

Upgrade to at least urllib3 v2.6.0 in which the library avoids
decompressing data that exceeds the requested amount.

If your environment contains a package facilitating the Brotli
encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0
too. These versions are enforced by the urllib3[brotli] extra in the
patched versions of urllib3.

Credits
-------

The issue was reported by @Cycloctane.

Supplemental information was provided by @stamparm during a security
audit performed by 7ASecurity and facilitated by OSTIF.

Severity: High 8.9 / 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVE ID: CVE-2025-66471
Weaknesses: Weakness CWE-409

Credits
-------

    @illia-v illia-v Coordinator
    @pquentin pquentin Remediation reviewer
    @sethmlarson sethmlarson Analyst
    @Cycloctane Cycloctane Finder
    @stamparm stamparm Finder
Previous By Date Next
Previous By Thread Next

Current thread: