Main Vulnerability Database Vulnerabilities #VU119230

#VU119230 Allocation of Resources Without Limits or Throttling in urllib3 - CVE-2025-66418

Published: December 5, 2025 / Updated: February 17, 2026

Vulnerability identifier: #VU119230

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-66418

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
urllib3

Software vendor:
shazow (Andrey Petrov)

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition.

Remediation

Install updates from vendor's website.

External links

https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

#VU119230 Allocation of Resources Without Limits or Throttling in urllib3 - CVE-2025-66418

Description

Remediation

External links

Please verify you're human