149 matches found
Amazon Linux 2 : python-urllib3, --advisory ALAS2-2025-3110 (ALAS-2025-3110)
The version of python-urllib3 installed on the remote host is prior to 1.25.9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3110 advisory. urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number...
TencentOS Server 4: python-urllib3 (TSSA-2025:0972)
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0972 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...
Denial Of Service (DoS)
urllib3 is vulnerable to a Denial-Of-Service DoS. The vulnerability is due to an unbounded decompression chain, where nested compression layers are not limited, allowing a malicious server to send specially crafted responses that trigger excessive CPU usage and large memory allocation during...
SUSE CVE-2025-66418
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
Node.js: Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
A vulnerability was discovered in the Fetch API of Node.js that allowed an unbounded number of links in the decompression chain for HTTP responses. This could lead to resource exhaustion, as the default maxHeaderSize allowed a malicious server to insert thousands of compression steps, resulting i...
Linux Distros Unpatched Vulnerability : CVE-2025-66418
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was...
GHSA-GM62-XV2J-4W53 urllib3 allows an unbounded number of links in the decompression chain
Impact urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, zstd. However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps...
urllib3 allows an unbounded number of links in the decompression chain
Impact urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, zstd. However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps...
AZL-71846 CVE-2025-66418 affecting package python-urllib3 for versions less than 1.26.19-3
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
AZL-71834 CVE-2025-66418 affecting package python-urllib3 for versions less than 2.0.7-3
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
ALPINE-CVE-2025-66418
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
UBUNTU-CVE-2025-66418
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
CVE-2025-66418
The connected advisories confirm CVE-2025-66418 affects urllib3 (Python) via an unbounded decompression chain in versions 1.24 up to before 2.6.0, enabling high CPU and memory usage; remediation is to upgrade to 2.6.0 or later. Additional advisories note related issues: CVE-2025-66471 (Streaming ...
EUVD-2025-201421
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
CVE-2025-66418 urllib3 allows an unbounded number of links in the decompression chain
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
UBUNTU-CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
CVE-2025-62706 Authlib : JWE zip=DEF decompression bomb enables DoS
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
CVE-2025-62706
Authlib’s CVE-2025-62706 affects the JWE zip=DEF decompression path in prior releases. A small ciphertext could inflate to tens/hundreds of MB during decrypt, enabling DoS via memory and CPU exhaustion. A fix exists in v1.6.5; mitigations include rejecting or stripping zip=DEF for inbound JWEs, a...
CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...