VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-v365-pn8r-e7dh

Essentials
Severities (28)
References (104)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-v365-pn8r-e7dh
Aliases	CVE-2025-66418 GHSA-gm62-xv2j-4w53
Summary	urllib3 allows an unbounded number of links in the decompression chain urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`). However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66418.json
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
epss	0.00033	https://api.first.org/data/v1/epss?cve=CVE-2025-66418
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-gm62-xv2j-4w53
cvssv4	8.9	https://github.com/urllib3/urllib3
generic_textual	HIGH	https://github.com/urllib3/urllib3
cvssv4	8.9	https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
generic_textual	HIGH	https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
ssvc	Track	https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
cvssv3.1_qr	HIGH	https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
cvssv4	8.9	https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
generic_textual	HIGH	https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
ssvc	Track	https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
cvssv4	8.9	https://nvd.nist.gov/vuln/detail/CVE-2025-66418
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-66418

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66418.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-66418
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66418
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/urllib3/urllib3
		https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8
1122030		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122030
2419455		https://bugzilla.redhat.com/show_bug.cgi?id=2419455
CVE-2025-66418		https://nvd.nist.gov/vuln/detail/CVE-2025-66418
GHSA-gm62-xv2j-4w53		https://github.com/advisories/GHSA-gm62-xv2j-4w53
GHSA-gm62-xv2j-4w53		https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
RHSA-2026:0050		https://access.redhat.com/errata/RHSA-2026:0050
RHSA-2026:0414		https://access.redhat.com/errata/RHSA-2026:0414
RHSA-2026:0990		https://access.redhat.com/errata/RHSA-2026:0990
RHSA-2026:10184		https://access.redhat.com/errata/RHSA-2026:10184
RHSA-2026:1026		https://access.redhat.com/errata/RHSA-2026:1026
RHSA-2026:1027		https://access.redhat.com/errata/RHSA-2026:1027
RHSA-2026:1041		https://access.redhat.com/errata/RHSA-2026:1041
RHSA-2026:1042		https://access.redhat.com/errata/RHSA-2026:1042
RHSA-2026:1086		https://access.redhat.com/errata/RHSA-2026:1086
RHSA-2026:1087		https://access.redhat.com/errata/RHSA-2026:1087
RHSA-2026:1088		https://access.redhat.com/errata/RHSA-2026:1088
RHSA-2026:1089		https://access.redhat.com/errata/RHSA-2026:1089
RHSA-2026:1168		https://access.redhat.com/errata/RHSA-2026:1168
RHSA-2026:1176		https://access.redhat.com/errata/RHSA-2026:1176
RHSA-2026:1224		https://access.redhat.com/errata/RHSA-2026:1224
RHSA-2026:1226		https://access.redhat.com/errata/RHSA-2026:1226
RHSA-2026:1239		https://access.redhat.com/errata/RHSA-2026:1239
RHSA-2026:1240		https://access.redhat.com/errata/RHSA-2026:1240
RHSA-2026:1241		https://access.redhat.com/errata/RHSA-2026:1241
RHSA-2026:1254		https://access.redhat.com/errata/RHSA-2026:1254
RHSA-2026:1329		https://access.redhat.com/errata/RHSA-2026:1329
RHSA-2026:1330		https://access.redhat.com/errata/RHSA-2026:1330
RHSA-2026:1331		https://access.redhat.com/errata/RHSA-2026:1331
RHSA-2026:1332		https://access.redhat.com/errata/RHSA-2026:1332
RHSA-2026:1336		https://access.redhat.com/errata/RHSA-2026:1336
RHSA-2026:1337		https://access.redhat.com/errata/RHSA-2026:1337
RHSA-2026:1338		https://access.redhat.com/errata/RHSA-2026:1338
RHSA-2026:1339		https://access.redhat.com/errata/RHSA-2026:1339
RHSA-2026:1340		https://access.redhat.com/errata/RHSA-2026:1340
RHSA-2026:1485		https://access.redhat.com/errata/RHSA-2026:1485
RHSA-2026:1504		https://access.redhat.com/errata/RHSA-2026:1504
RHSA-2026:1546		https://access.redhat.com/errata/RHSA-2026:1546
RHSA-2026:1618		https://access.redhat.com/errata/RHSA-2026:1618
RHSA-2026:1619		https://access.redhat.com/errata/RHSA-2026:1619
RHSA-2026:1652		https://access.redhat.com/errata/RHSA-2026:1652
RHSA-2026:1674		https://access.redhat.com/errata/RHSA-2026:1674
RHSA-2026:1676		https://access.redhat.com/errata/RHSA-2026:1676
RHSA-2026:1693		https://access.redhat.com/errata/RHSA-2026:1693
RHSA-2026:1701		https://access.redhat.com/errata/RHSA-2026:1701
RHSA-2026:1702		https://access.redhat.com/errata/RHSA-2026:1702
RHSA-2026:1704		https://access.redhat.com/errata/RHSA-2026:1704
RHSA-2026:1712		https://access.redhat.com/errata/RHSA-2026:1712
RHSA-2026:1726		https://access.redhat.com/errata/RHSA-2026:1726
RHSA-2026:1729		https://access.redhat.com/errata/RHSA-2026:1729
RHSA-2026:1730		https://access.redhat.com/errata/RHSA-2026:1730
RHSA-2026:1736		https://access.redhat.com/errata/RHSA-2026:1736
RHSA-2026:1942		https://access.redhat.com/errata/RHSA-2026:1942
RHSA-2026:1957		https://access.redhat.com/errata/RHSA-2026:1957
RHSA-2026:2106		https://access.redhat.com/errata/RHSA-2026:2106
RHSA-2026:2126		https://access.redhat.com/errata/RHSA-2026:2126
RHSA-2026:2137		https://access.redhat.com/errata/RHSA-2026:2137
RHSA-2026:2139		https://access.redhat.com/errata/RHSA-2026:2139
RHSA-2026:2144		https://access.redhat.com/errata/RHSA-2026:2144
RHSA-2026:2256		https://access.redhat.com/errata/RHSA-2026:2256
RHSA-2026:2279		https://access.redhat.com/errata/RHSA-2026:2279
RHSA-2026:2456		https://access.redhat.com/errata/RHSA-2026:2456
RHSA-2026:2500		https://access.redhat.com/errata/RHSA-2026:2500
RHSA-2026:2563		https://access.redhat.com/errata/RHSA-2026:2563
RHSA-2026:2681		https://access.redhat.com/errata/RHSA-2026:2681
RHSA-2026:2695		https://access.redhat.com/errata/RHSA-2026:2695
RHSA-2026:2717		https://access.redhat.com/errata/RHSA-2026:2717
RHSA-2026:2718		https://access.redhat.com/errata/RHSA-2026:2718
RHSA-2026:2723		https://access.redhat.com/errata/RHSA-2026:2723
RHSA-2026:2728		https://access.redhat.com/errata/RHSA-2026:2728
RHSA-2026:2737		https://access.redhat.com/errata/RHSA-2026:2737
RHSA-2026:2754		https://access.redhat.com/errata/RHSA-2026:2754
RHSA-2026:2762		https://access.redhat.com/errata/RHSA-2026:2762
RHSA-2026:2764		https://access.redhat.com/errata/RHSA-2026:2764
RHSA-2026:2765		https://access.redhat.com/errata/RHSA-2026:2765
RHSA-2026:2800		https://access.redhat.com/errata/RHSA-2026:2800
RHSA-2026:2900		https://access.redhat.com/errata/RHSA-2026:2900
RHSA-2026:2919		https://access.redhat.com/errata/RHSA-2026:2919
RHSA-2026:2924		https://access.redhat.com/errata/RHSA-2026:2924
RHSA-2026:2925		https://access.redhat.com/errata/RHSA-2026:2925
RHSA-2026:2926		https://access.redhat.com/errata/RHSA-2026:2926
RHSA-2026:3296		https://access.redhat.com/errata/RHSA-2026:3296
RHSA-2026:3406		https://access.redhat.com/errata/RHSA-2026:3406
RHSA-2026:3444		https://access.redhat.com/errata/RHSA-2026:3444
RHSA-2026:3461		https://access.redhat.com/errata/RHSA-2026:3461
RHSA-2026:3462		https://access.redhat.com/errata/RHSA-2026:3462
RHSA-2026:3713		https://access.redhat.com/errata/RHSA-2026:3713
RHSA-2026:3782		https://access.redhat.com/errata/RHSA-2026:3782
RHSA-2026:3869		https://access.redhat.com/errata/RHSA-2026:3869
RHSA-2026:3874		https://access.redhat.com/errata/RHSA-2026:3874
RHSA-2026:4185		https://access.redhat.com/errata/RHSA-2026:4185
RHSA-2026:4215		https://access.redhat.com/errata/RHSA-2026:4215
RHSA-2026:4271		https://access.redhat.com/errata/RHSA-2026:4271
RHSA-2026:4466		https://access.redhat.com/errata/RHSA-2026:4466
RHSA-2026:4467		https://access.redhat.com/errata/RHSA-2026:4467
RHSA-2026:5807		https://access.redhat.com/errata/RHSA-2026:5807
RHSA-2026:6292		https://access.redhat.com/errata/RHSA-2026:6292
USN-7927-1		https://usn.ubuntu.com/7927-1/
USN-8010-1		https://usn.ubuntu.com/8010-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66418.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-05T16:15:39Z/ Found at https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-05T16:15:39Z/ Found at https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-66418

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.08088
EPSS Score	0.00029
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:28.805796+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/urllib3/CVE-2025-66418.yml	38.0.0