IxtliHIGHCVE-2025-66471PyPICVSS 7.5
urllib3
Published
Description
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
Affected Versions
>=1.0
FIXED VERSIONS2.6.32.6.0
References
WEBhttps://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66471WEBhttps://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7PACKAGEhttps://github.com/urllib3/urllib3WEBhttps://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-21441WEBhttps://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7bWEBhttps://lists.debian.org/debian-lts-announce/2026/01/msg00017.htmlWEBhttps://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66418WEBhttps://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8