ALPINE-CVE-2025-66418

ALPINE-CVE-2025-66418 PUBLISHED CVSS 7.5 HIGH

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.23	py3-urllib3	1.21.1-r0, 1.22-r0, 1.24.1-r0

Timeline

Dec 5, 2025 CVE Published
Jan 23, 2026 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2025-66418 advisory

Open in Interactive Console →