{"id":"PYSEC-2026-1998","summary":"urllib3 allows an unbounded number of links in the decompression chain","details":"## Impact\n\nurllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`).\n\nHowever, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.\n\n\n## Affected usages\n\nApplications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.\n\n\n## Remediation\n\nUpgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.\n\nIf upgrading is not immediately possible, use [`preload_content=False`](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) and ensure that `resp.headers[\"content-encoding\"]` contains a safe number of encodings before reading the response content.","aliases":["CVE-2025-66418","GHSA-gm62-xv2j-4w53"],"modified":"2026-07-07T17:47:54.140852492Z","published":"2026-07-07T16:03:12.278581Z","references":[{"type":"WEB","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66418"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"},{"type":"PACKAGE","url":"https://github.com/urllib3/urllib3"},{"type":"PACKAGE","url":"https://pypi.org/project/urllib3"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-gm62-xv2j-4w53"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.24"},{"fixed":"2.6.0"}]}],"versions":["1.24","1.24.1","1.24.2","1.24.3","1.25","1.25.1","1.25.10","1.25.11","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.25.9","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.17","1.26.18","1.26.19","1.26.2","1.26.20","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","2.0.0","2.0.0a1","2.0.0a2","2.0.0a3","2.0.0a4","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.2.0","2.2.1","2.2.2","2.2.3","2.3.0","2.4.0","2.5.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-1998.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}