N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66418

CVE-2025-66418: urllib3 allows an unbounded number of links in the decompression chain

Impact

urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).

However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.

Remediation

Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.

If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66418

CVE-2025-66418:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urllib3	pip	>= 1.24, < 2.6.0	2.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described as 'urllib3 allows an unbounded number of links in the decompression chain' is directly addressed in the provided patch. The commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8 modifies the src/urllib3/response.py file, specifically within the MultiDecoder class. The __init__ method of this class is where the Content-Encoding header is processed. The patch explicitly adds a check to limit the number of chained encodings to 5. This indicates that the urllib3.response.MultiDecoder.__init__ function was the point of vulnerability, as it previously processed an unlimited number of encodings, leading to potential resource exhaustion. The HTTPResponse class uses MultiDecoder to handle responses with multiple content encodings, making the __init__ method of MultiDecoder the primary vulnerable function.

Vulnerable functions

urllib3.response.MultiDecoder.__init__

src/urllib3/response.py

The `__init__` method of the `MultiDecoder` class is responsible for parsing the `Content-Encoding` header and setting up a chain of decoders. The vulnerability lies in the fact that prior to the patch, there was no limit on the number of encodings that could be specified. A malicious server could provide a response with a very long chain of encodings, causing the client to expend excessive CPU and memory resources during decompression, leading to a denial of service. The patch introduces a limit of 5 on the number of chained encodings.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66418: urllib3 allows an unbounded number of links in the decompression chain

Impact

Affected usages

Remediation

CVE-2025-66418:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-66418: urllib3 allows an unbounded number of links in the decompression chain

Impact

Affected usages

Remediation

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI