Main Vulnerability Database Vulnerabilities #VU119230

Allocation of Resources Without Limits or Throttling in urllib3 - CVE-2025-66418

Published: December 5, 2025 / Updated: February 17, 2026

Vulnerability identifier: #VU119230

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-66418

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: shazow (Andrey Petrov)

Affected software:
urllib3

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition.

How to mitigate CVE-2025-66418

Install updates from vendor's website.

Sources

https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Allocation of Resources Without Limits or Throttling in urllib3 - CVE-2025-66418

Detailed vulnerability description

How to mitigate CVE-2025-66418

Sources

Please verify you're human