CVE-2025-66418: urllib3 allows an unbounded number of links in the decompression chain

December 5, 2025

urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).

However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

References

github.com/advisories/GHSA-gm62-xv2j-4w53
github.com/urllib3/urllib3
github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
nvd.nist.gov/vuln/detail/CVE-2025-66418

Code Behaviors & Features

Detect and mitigate CVE-2025-66418 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →