N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66471

CVE-2025-66471: urllib3 streaming API improperly handles highly compressed data

Impact

urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.

When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.

The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.

Affected usages

Applications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.

stream(), read(amt=256), read1(amt=256), read_chunked(amt=256), readinto(b) are examples of urllib3.HTTPResponse method calls using the affected logic unless decoding is disabled explicitly.

Remediation

Upgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.

If your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the urllib3[brotli] extra in the patched versions of urllib3.

Credits

The issue was reported by @Cycloctane. Supplemental information was provided by @stamparm during a security audit performed by 7ASecurity and facilitated by OSTIF.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66471

CVE-2025-66471:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urllib3	pip	>= 1.0, < 2.6.0	2.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the streaming API in urllib3 did not limit the amount of data produced during the decompression of HTTP response bodies. An attacker could craft a highly compressed payload (a 'decompression bomb') that, when processed, would consume an excessive amount of memory and CPU resources on the client, even if the client application only requested a small portion of the data. The root cause was that the decompress methods within the various decoder classes (GzipDecoder, DeflateDecoder, etc.) would decompress as much data as was available in their input buffers, without respect to the amount of data the user actually requested from the stream.

The patch addresses this by introducing a max_length parameter to the decompress methods of all content decoders. This parameter is then used by the user-facing read methods (read, read1, stream, read_chunked) to signal to the decoders the maximum amount of decompressed data that should be produced. This prevents the library from decompressing the entire malicious payload at once, thus mitigating the resource exhaustion attack.

Vulnerable functions

DeflateDecoder.decompress

src/urllib3/response.py

The `decompress` function for `deflate` encoding did not limit the amount of data decompressed. The patch introduces a `max_length` parameter to prevent it from decompressing an entire 'decompression bomb' payload when only a small chunk of data is requested.

GzipDecoder.decompress

src/urllib3/response.py

The `decompress` function for `gzip` encoding did not limit the amount of data decompressed. The patch introduces a `max_length` parameter to prevent it from decompressing an entire 'decompression bomb' payload when only a small chunk of data is requested.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66471: urllib3 streaming API improperly handles highly compressed data

Impact

Affected usages

Remediation

Credits

CVE-2025-66471:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

CVE-2025-66471: urllib3 streaming API improperly handles highly compressed data

Impact

Affected usages

Remediation

Credits

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

WAF Protection Rules

WAF Rule

Reasoning

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66471: urllib3 streaming API improperly handles highly compressed data

Impact

Affected usages

Remediation

Credits

CVE-2025-66471:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

CVE-2025-66471: urllib3 streaming API improperly handles highly compressed data

Impact

Affected usages

Remediation

Credits

N/A

N/A

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI