urllib3 1.0-2.6.0 Streaming API Decompress OOM/CPU
CVE-2025-66471 Published on December 5, 2025

urllib3 Streaming API improperly handles highly compressed data
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Github Repository NVD

Weakness Type

What is a Data Amplification Vulnerability?

The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. An example of data amplification is a "decompression bomb," a small ZIP file that can produce a large amount of data when it is decompressed.

CVE-2025-66471 has been classified to as a Data Amplification vulnerability or weakness.


Products Associated with CVE-2025-66471

stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Oracle. Just hit a watch button to start following.

Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

urllib3 Version >= 1.0, < 2.6.0 is affected by CVE-2025-66471

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-66471

Package Manager Vulnerable Package Versions Fixed In
pip urllib3 >= 1.0, < 2.6.0 2.6.0

Exploit Probability

EPSS
0.03%
Percentile
7.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.