CVE-2025-66471 urllib3 Streaming API improperly handles highly compressed data

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than...

CVE-2025-66418 urllib3 allows an unbounded number of links in the decompression chain

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

CVE-2025-66418 urllib3 allows an unbounded number of links in the decompression chain

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

EUVD-2025-201421

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

CVE-2025-66418

The connected advisories confirm CVE-2025-66418 affects urllib3 (Python) via an unbounded decompression chain in versions 1.24 up to before 2.6.0, enabling high CPU and memory usage; remediation is to upgrade to 2.6.0 or later. Additional advisories note related issues: CVE-2025-66471 (Streaming ...

CVE-2025-66418

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

CVE-2025-66200

moduserdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are...

Malicious Package

Overview json-map-source is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview node-dpapi1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

duc 安全漏洞

duc is a tool for checking disk usage by the individual developer Ico Doornekamp. A security vulnerability exists in duc that stems from a stack buffer overflow in the bufferget function, which could lead to out-of-bounds reads...

urllib3 安全漏洞

urllib3 is a Python HTTP library open-sourced by urllib3. It features thread-safe connection pooling, file publishing support, and more. A security vulnerability exists in urllib3 version 1.24 up to and including version 2.6.0, which stems from an unlimited number of links in the decompression...

wp_exploitation_framework

🚀 WordPress PWN Framework v5.0 - AI-Powered Edition !Python...

CVE-2025-66564

Sigstore Timestamp Authority contains a vulnerability (CVE-2025-66564) where ParseJSONRequest and getContentType allocate O(n) bytes when handling untrusted input (an OID with many periods or a malformed Content-Type header). The issue is triggered by using strings.Split on untrusted data, leadin...

UBUNTU-CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

CLSA-2025-1764868292 Fix CVE(s): CVE-2025-1094

SECURITY UPDATE: improper neutralization of quoting syntax in libpq functions allows SQL injection via psql in certain usage patterns - debian/patches/CVE-2025-1094.patch: Fix handling of invalidly encoded data in escaping functions - CVE-2025-1094...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the createVerify function when using HS256 HMAC algorithms and incorporating user-provided data from the JSON Web Signature Protected Header or Payload in HMAC secret lookup routines...

GHSA-869P-CJFG-CM3X auth0/node-jws Improperly Verifies HMAC Signature

Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. Am I Affected? You are affected by this vulnerability if you meet all of the following preconditions: 1. Application uses the auth0/node-jws implementatio...

CVE-2025-40262 Input: imx_sc_key - fix memory corruption on unload

In the Linux kernel, the following vulnerability has been resolved: Input: imxsckey - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imxsckeyaction function is called...

Malicious Package

Overview elf-stats-bright-cocoa-293 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview beep-types is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...