CVE-2025-66418

CVE-2025-66418 is a high-severity allocation of resources without limits or throttling vulnerability in urllib3 (pip), affecting versions >= 1.24, < 2.6.0. It is fixed in 2.6.0.

Summary

Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.

Impact

urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).

However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

Affected versions

urllib3 (>= 1.24, < 2.6.0)

Security releases

urllib3 → 2.6.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.

If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.

Frequently Asked Questions

  1. What is CVE-2025-66418? CVE-2025-66418 is a high-severity allocation of resources without limits or throttling vulnerability in urllib3 (pip), affecting versions >= 1.24, < 2.6.0. It is fixed in 2.6.0. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. Which versions of urllib3 are affected by CVE-2025-66418? urllib3 (pip) versions >= 1.24, < 2.6.0 is affected.
  3. Is there a fix for CVE-2025-66418? Yes. CVE-2025-66418 is fixed in 2.6.0. Upgrade to this version or later.
  4. Is CVE-2025-66418 exploitable, and should I be worried? Whether CVE-2025-66418 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-66418 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-66418? Upgrade urllib3 to 2.6.0 or later.

Other vulnerabilities in urllib3

CVE-2026-44432CVE-2026-44431CVE-2026-21441CVE-2025-66471CVE-2025-66418

Stop the waste.
Protect your environment with Kodem.