Bug 2419455 (CVE-2025-66418)

Summary: CVE-2025-66418 urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, adinn, adistefa, alcohan, alinfoot, alizardo, amctagga, anjoseph, anpicker, anthomas, aoconnor, aprice, bbrownin, bdettelb, bniver, bparees, brasmith, carogers, caswilli, cmyers, cochase, crizzo, dfreiber, dhanak, dnakabaa, doconnor, dranck, drosa, drow, dschmidt, dsimansk, dtrifiro, dymurray, eborisov, eglynn, ehelms, erezende, flucifre, galder, galder.zamarreno, ggainey, gmeno, gparvin, groman, gtanzill, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jbuscemi, jcammara, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jneedle, joehler, jowilson, jprabhak, jpretori, jsamir, jschluet, juwatts, jwong, kaycoth, kbempah, kegrant, kgaikwad, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbrazdil, lchilton, lcouzens, lgamliel, lhh, ljawale, lphiri, lsvaty, luizcosta, lwan, mabashia, manissin, matzew, mbabacek, mbenjamin, mburns, mgarciac, mhackett, mhess, mhulan, mminar, mnovotny, mrunge, mskarbek, nboldt, ngough, nmoumoul, nweather, nyancey, oaljalju, oezr, olubyans, omaciel, ometelka, orabin, osousa, owatkins, pahickey, pakotvan, pbohmill, pbraun, pcreech, pgaikwad, pgrist, pjindal, psrna, ptisnovs, rbiba, rbobbitt, rbryant, rchan, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sausingh, sbiarozk, sdawley, sdoran, sfeifer, sgehwolf, shvarugh, simaishi, slucidi, smallamp, smcdonal, solenoci, sostapov, sseago, sskracic, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tpfromme, tqvarnst, ttakamiy, tzivkovi, vereddy, veshanka, vimartin, vkumar, vle, vvoronko, vwilson, watson-tool-maintainers, weaton, whayutin, wtam, xdharmai, yguenane, zdohnal, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain causes the client system to consume a virtually unbounded amount of CPU resources and memory. The high resource usage leads to service disruption, making the application unresponsive.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2422212, 2422213, 2422507, 2422508, 2422509, 2422510, 2422511, 2422512, 2422513, 2422514, 2422515, 2422591, 2431355, 2431356, 2431357, 2431358, 2431359    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-05 17:01:44 UTC 
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Comment 2 errata-xmlrpc 2026-01-26 12:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1086 https://access.redhat.com/errata/RHSA-2026:1086
Comment 3 errata-xmlrpc 2026-01-26 12:59:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1087 https://access.redhat.com/errata/RHSA-2026:1087
Comment 4 errata-xmlrpc 2026-01-26 14:06:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1089 https://access.redhat.com/errata/RHSA-2026:1089
Comment 5 errata-xmlrpc 2026-01-26 14:14:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1088 https://access.redhat.com/errata/RHSA-2026:1088
Comment 6 errata-xmlrpc 2026-01-26 14:57:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1224 https://access.redhat.com/errata/RHSA-2026:1224
Comment 7 errata-xmlrpc 2026-01-26 15:29:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1226 https://access.redhat.com/errata/RHSA-2026:1226
Comment 8 errata-xmlrpc 2026-01-26 17:54:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1241 https://access.redhat.com/errata/RHSA-2026:1241
Comment 9 errata-xmlrpc 2026-01-26 17:59:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1239 https://access.redhat.com/errata/RHSA-2026:1239
Comment 10 errata-xmlrpc 2026-01-26 18:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1240 https://access.redhat.com/errata/RHSA-2026:1240
Comment 11 errata-xmlrpc 2026-01-26 20:44:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1254 https://access.redhat.com/errata/RHSA-2026:1254
Comment 12 errata-xmlrpc 2026-01-27 08:28:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1330 https://access.redhat.com/errata/RHSA-2026:1330
Comment 13 errata-xmlrpc 2026-01-27 08:31:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1329 https://access.redhat.com/errata/RHSA-2026:1329
Comment 14 errata-xmlrpc 2026-01-27 08:48:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1331 https://access.redhat.com/errata/RHSA-2026:1331
Comment 15 errata-xmlrpc 2026-01-27 08:59:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1332 https://access.redhat.com/errata/RHSA-2026:1332
Comment 16 errata-xmlrpc 2026-01-27 09:30:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:1337 https://access.redhat.com/errata/RHSA-2026:1337
Comment 17 errata-xmlrpc 2026-01-27 09:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:1336 https://access.redhat.com/errata/RHSA-2026:1336
Comment 18 errata-xmlrpc 2026-01-27 09:31:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:1340 https://access.redhat.com/errata/RHSA-2026:1340
Comment 19 errata-xmlrpc 2026-01-27 09:31:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:1339 https://access.redhat.com/errata/RHSA-2026:1339
Comment 20 errata-xmlrpc 2026-01-27 09:49:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:1338 https://access.redhat.com/errata/RHSA-2026:1338
Comment 21 errata-xmlrpc 2026-01-28 11:21:49 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2026:1485 https://access.redhat.com/errata/RHSA-2026:1485
Comment 22 errata-xmlrpc 2026-01-29 09:08:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1546 https://access.redhat.com/errata/RHSA-2026:1546
Comment 23 errata-xmlrpc 2026-02-02 01:12:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1618 https://access.redhat.com/errata/RHSA-2026:1618
Comment 24 errata-xmlrpc 2026-02-02 01:53:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1619 https://access.redhat.com/errata/RHSA-2026:1619
Comment 25 errata-xmlrpc 2026-02-02 06:38:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1674 https://access.redhat.com/errata/RHSA-2026:1674
Comment 26 errata-xmlrpc 2026-02-02 06:49:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:1676 https://access.redhat.com/errata/RHSA-2026:1676
Comment 27 errata-xmlrpc 2026-02-02 09:56:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1693 https://access.redhat.com/errata/RHSA-2026:1693
Comment 28 errata-xmlrpc 2026-02-02 10:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:1702 https://access.redhat.com/errata/RHSA-2026:1702
Comment 29 errata-xmlrpc 2026-02-02 10:46:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:1701 https://access.redhat.com/errata/RHSA-2026:1701
Comment 30 errata-xmlrpc 2026-02-02 11:45:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1704 https://access.redhat.com/errata/RHSA-2026:1704
Comment 31 errata-xmlrpc 2026-02-02 13:05:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1712 https://access.redhat.com/errata/RHSA-2026:1712
Comment 32 errata-xmlrpc 2026-02-02 15:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1726 https://access.redhat.com/errata/RHSA-2026:1726
Comment 33 errata-xmlrpc 2026-02-02 15:38:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1729 https://access.redhat.com/errata/RHSA-2026:1729
Comment 34 errata-xmlrpc 2026-02-04 19:11:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1957 https://access.redhat.com/errata/RHSA-2026:1957
Comment 35 errata-xmlrpc 2026-02-09 08:57:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2279 https://access.redhat.com/errata/RHSA-2026:2279
Comment 37 errata-xmlrpc 2026-02-16 11:23:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2723 https://access.redhat.com/errata/RHSA-2026:2723
Comment 38 errata-xmlrpc 2026-02-16 11:26:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2717 https://access.redhat.com/errata/RHSA-2026:2717
Comment 39 errata-xmlrpc 2026-02-16 11:35:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2718 https://access.redhat.com/errata/RHSA-2026:2718
Comment 40 errata-xmlrpc 2026-02-16 11:53:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:2728 https://access.redhat.com/errata/RHSA-2026:2728
Comment 41 errata-xmlrpc 2026-02-16 19:02:48 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:2764 https://access.redhat.com/errata/RHSA-2026:2764
Comment 42 errata-xmlrpc 2026-02-16 21:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:2765 https://access.redhat.com/errata/RHSA-2026:2765