Bug 2419467 (CVE-2025-66471)
| Summary: | CVE-2025-66471 urllib3: urllib3 Streaming API improperly handles highly compressed data | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, adinn, adistefa, adudiak, alcohan, alinfoot, alizardo, amctagga, anjoseph, anpicker, anthomas, aoconnor, aprice, bbrownin, bdettelb, bniver, bparees, brasmith, carogers, caswilli, cmyers, cochase, crizzo, dfreiber, dhanak, dnakabaa, doconnor, dranck, drosa, drow, dschmidt, dsimansk, dtrifiro, dymurray, eglynn, ehelms, erezende, flucifre, galder.zamarreno, ggainey, gmeno, gparvin, groman, gtanzill, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jbuscemi, jcammara, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jneedle, joehler, jowilson, jprabhak, jsamir, jschluet, juwatts, jwong, kaycoth, kegrant, kgaikwad, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbrazdil, lchilton, lcouzens, lgamliel, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, manissin, matzew, mbabacek, mbenjamin, mburns, mgarciac, mhackett, mhulan, mminar, mnovotny, mrunge, mskarbek, nboldt, ngough, nmoumoul, nweather, nyancey, oezr, olubyans, omaciel, ometelka, orabin, osousa, owatkins, pahickey, pakotvan, pbohmill, pbraun, pcreech, pgaikwad, pgrist, pjindal, psrna, ptisnovs, rbiba, rbobbitt, rbryant, rchan, rfreiman, rhaigner, rjohnson, rojacob, sausingh, sbiarozk, sdawley, sdoran, sfeifer, sgehwolf, shvarugh, simaishi, slucidi, smallamp, smcdonal, sostapov, sseago, sskracic, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tpfromme, tqvarnst, ttakamiy, vereddy, veshanka, vimartin, vkumar, weaton, whayutin, wtam, xdharmai, xiaoxwan, yguenane, zdohnal, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A decompression handling flaw has been discovered in urllib3. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2431300, 2422221, 2422222, 2422224, 2422225, 2427771, 2427773, 2427774, 2427775, 2427776, 2427777, 2427778, 2427779, 2427780, 2427781, 2431298, 2431299, 2431302, 2431303 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-12-05 17:02:45 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:1086 https://access.redhat.com/errata/RHSA-2026:1086 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:1087 https://access.redhat.com/errata/RHSA-2026:1087 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:1089 https://access.redhat.com/errata/RHSA-2026:1089 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:1088 https://access.redhat.com/errata/RHSA-2026:1088 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1224 https://access.redhat.com/errata/RHSA-2026:1224 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1226 https://access.redhat.com/errata/RHSA-2026:1226 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1241 https://access.redhat.com/errata/RHSA-2026:1241 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:1239 https://access.redhat.com/errata/RHSA-2026:1239 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1240 https://access.redhat.com/errata/RHSA-2026:1240 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 9 Red Hat Ansible Automation Platform 2.6 for RHEL 10 Via RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:1254 https://access.redhat.com/errata/RHSA-2026:1254 This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2026:1485 https://access.redhat.com/errata/RHSA-2026:1485 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2026:1497 https://access.redhat.com/errata/RHSA-2026:1497 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 9 Red Hat Ansible Automation Platform 2.5 for RHEL 8 Via RHSA-2026:1506 https://access.redhat.com/errata/RHSA-2026:1506 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:1546 https://access.redhat.com/errata/RHSA-2026:1546 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:1618 https://access.redhat.com/errata/RHSA-2026:1618 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:1619 https://access.redhat.com/errata/RHSA-2026:1619 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:1674 https://access.redhat.com/errata/RHSA-2026:1674 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:1676 https://access.redhat.com/errata/RHSA-2026:1676 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:1693 https://access.redhat.com/errata/RHSA-2026:1693 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:1704 https://access.redhat.com/errata/RHSA-2026:1704 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:1706 https://access.redhat.com/errata/RHSA-2026:1706 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:1712 https://access.redhat.com/errata/RHSA-2026:1712 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:1717 https://access.redhat.com/errata/RHSA-2026:1717 This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:1726 https://access.redhat.com/errata/RHSA-2026:1726 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:1729 https://access.redhat.com/errata/RHSA-2026:1729 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:1734 https://access.redhat.com/errata/RHSA-2026:1734 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:1735 https://access.redhat.com/errata/RHSA-2026:1735 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:1793 https://access.redhat.com/errata/RHSA-2026:1793 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:1791 https://access.redhat.com/errata/RHSA-2026:1791 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:1794 https://access.redhat.com/errata/RHSA-2026:1794 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:1792 https://access.redhat.com/errata/RHSA-2026:1792 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:1795 https://access.redhat.com/errata/RHSA-2026:1795 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:1803 https://access.redhat.com/errata/RHSA-2026:1803 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:1805 https://access.redhat.com/errata/RHSA-2026:1805 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:1957 https://access.redhat.com/errata/RHSA-2026:1957 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2026:2060 https://access.redhat.com/errata/RHSA-2026:2060 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:2723 https://access.redhat.com/errata/RHSA-2026:2723 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:2717 https://access.redhat.com/errata/RHSA-2026:2717 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:2718 https://access.redhat.com/errata/RHSA-2026:2718 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2026:2728 https://access.redhat.com/errata/RHSA-2026:2728 This issue has been addressed in the following products: Red Hat Satellite 6.18 for RHEL 9 Via RHSA-2026:2760 https://access.redhat.com/errata/RHSA-2026:2760 This issue has been addressed in the following products: Red Hat Satellite 6.17 for RHEL 9 Via RHSA-2026:2764 https://access.redhat.com/errata/RHSA-2026:2764 This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2026:2765 https://access.redhat.com/errata/RHSA-2026:2765 |