Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <fe6ae308-dd2d-441a-8afa-3d9742274aa1@oracle.com>
Date: Fri, 5 Dec 2025 10:52:54 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0

https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
discloses:

> Unbounded number of links in the decompression chain
> ====================================================
> 
> illia-v published GHSA-gm62-xv2j-4w53 Dec 5, 2025
> 
> Package: urllib3 (pip)
> Affected versions: >=1.24,<2.6.0
> Patched versions: 2.6.0
> 
> Description
> ===========
> 
> Impact
> ------
> 
> urllib3 supports chained HTTP encoding algorithms for response content
> according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).
> 
> However, the number of links in the decompression chain was unbounded
> allowing a malicious server to insert a virtually unlimited number of
> compression steps leading to high CPU usage and massive memory
> allocation for the decompressed data.
> 
> Affected usages
> ---------------
> 
> Applications and libraries using urllib3 version 2.5.0 and earlier for
> HTTP requests to untrusted sources unless they disable content
> decoding explicitly.
> 
> Remediation
> -----------
> 
> Upgrade to at least urllib3 v2.6.0 in which the library limits the
> number of links to 5.
> 
> If upgrading is not immediately possible, use preload_content=False
> and ensure that resp.headers["content-encoding"] contains a safe
> number of encodings before reading the response content.
> 
> Severity:  High  8.9 / 10
> CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
> CVE ID: CVE-2025-66418
> Weaknesses: Weakness CWE-770
> 
> Credits
> -------
>     @illia-v illia-v Reporter
>     @sethmlarson sethmlarson Remediation reviewer
>     @pquentin pquentin Remediation reviewer


https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
advises:

> Streaming API improperly handles highly compressed data
> =======================================================
> 
> illia-v published GHSA-2xpw-w6gg-jr37 Dec 5, 2025
> 
> Package: urllib3 (pip)
> Affected versions: >=1.0,<2.6.0
> Patched versions: 2.6.0
> 
> Description
> ===========
> 
> Impact
> ------
> 
> urllib3's streaming API is designed for the efficient handling of
> large HTTP responses by reading the content in chunks, rather than
> loading the entire response body into memory at once.
> 
> When streaming a compressed response, urllib3 can perform decoding or
> decompression based on the HTTP Content-Encoding header (e.g., gzip,
> deflate, br, or zstd). The library must read compressed data from the
> network and decompress it until the requested chunk size is met. Any
> resulting decompressed data that exceeds the requested amount is held
> in an internal buffer for the next read operation.
> 
> The decompression logic could cause urllib3 to fully decode a small
> amount of highly compressed data in a single operation. This can
> result in excessive resource consumption (high CPU usage and massive
> memory allocation for the decompressed data; CWE-409) on the client
> side, even if the application only requested a small chunk of data.
> 
> Affected usages
> ---------------
> 
> Applications and libraries using urllib3 version 2.5.0 and earlier to
> stream large compressed responses or content from untrusted sources.
> 
> stream(), read(amt=256), read1(amt=256), read_chunked(amt=256),
> readinto(b) are examples of urllib3.HTTPResponse method calls using
> the affected logic unless decoding is disabled explicitly.
> 
> Remediation
> -----------
> 
> Upgrade to at least urllib3 v2.6.0 in which the library avoids
> decompressing data that exceeds the requested amount.
> 
> If your environment contains a package facilitating the Brotli
> encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0
> too. These versions are enforced by the urllib3[brotli] extra in the
> patched versions of urllib3.
> 
> Credits
> -------
> 
> The issue was reported by @Cycloctane.
> 
> Supplemental information was provided by @stamparm during a security
> audit performed by 7ASecurity and facilitated by OSTIF.
> 
> Severity: High 8.9 / 10
> CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
> CVE ID: CVE-2025-66471
> Weaknesses: Weakness CWE-409
> 
> Credits
> -------
> 
>     @illia-v illia-v Coordinator
>     @pquentin pquentin Remediation reviewer
>     @sethmlarson sethmlarson Analyst
>     @Cycloctane Cycloctane Finder
>     @stamparm stamparm Finder

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.