CVE-2025-66418 (High) detected in urllib3-1.25.10-py2.py3-none-any.whl #124
Description
CVE-2025-66418 - High Severity Vulnerability
Vulnerable Library - urllib3-1.25.10-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/9f/f0/a391d1463ebb1b233795cabfc0ef38d3db4442339de68f847026199e69d7/urllib3-1.25.10-py2.py3-none-any.whl
Path to dependency file: /day70/requirements.txt
Path to vulnerable library: /day70/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.25.10-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Publish Date: 2025-12-05
URL: CVE-2025-66418
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-05
Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0
Step up your Open Source Security Game with Mend here