UBUNTU-CVE-2025-66471

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-66471

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-66471.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-66471

Upstream

CVE-2025-66471

Downstream

USN-7927-1

Related

USN-7927-1

Published

2025-12-05T17:16:00Z

Modified

2025-12-12T09:00:55.477163Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

References

Affected packages

Ubuntu:22.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@22.0.2+dfsg-1ubuntu0.7?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.3.4-4

21.*

21.3.1+dfsg-3

22.*

22.0.2+dfsg-1

22.0.2+dfsg-1ubuntu0.1

22.0.2+dfsg-1ubuntu0.2

22.0.2+dfsg-1ubuntu0.3

22.0.2+dfsg-1ubuntu0.4

22.0.2+dfsg-1ubuntu0.5

22.0.2+dfsg-1ubuntu0.6

22.0.2+dfsg-1ubuntu0.7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "22.0.2+dfsg-1ubuntu0.7",
            "binary_name": "python3-pip-whl"
        }
    ]
}

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@1.26.5-1~exp1ubuntu0.4?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.26.5-1~exp1

1.26.5-1~exp1ubuntu0.1

1.26.5-1~exp1ubuntu0.2

1.26.5-1~exp1ubuntu0.3

1.26.5-1~exp1ubuntu0.4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.26.5-1~exp1ubuntu0.4",
            "binary_name": "python3-urllib3"
        }
    ]
}

Ubuntu:24.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@24.0+dfsg-1ubuntu1.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

23.*

23.2+dfsg-1

23.3+dfsg-1

24.*

24.0+dfsg-1

24.0+dfsg-1ubuntu1

24.0+dfsg-1ubuntu1.1

24.0+dfsg-1ubuntu1.2

24.0+dfsg-1ubuntu1.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "24.0+dfsg-1ubuntu1.3",
            "binary_name": "python3-pip-whl"
        }
    ]
}

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@2.0.7-1ubuntu0.3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.7-1ubuntu0.3

Affected versions

1.*

1.26.16-1

1.26.18-1

2.*

2.0.7-1

2.0.7-1ubuntu0.1

2.0.7-1ubuntu0.2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.0.7-1ubuntu0.3",
            "binary_name": "python3-urllib3"
        }
    ]
}

Ubuntu:25.04

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@25.0+dfsg-1ubuntu0.2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

24.*

24.2+dfsg-1

24.2+dfsg-1ubuntu0.1

24.3.1+dfsg-1

25.*

25.0+dfsg-1

25.0+dfsg-1ubuntu0.1

25.0+dfsg-1ubuntu0.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.0+dfsg-1ubuntu0.2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.0+dfsg-1ubuntu0.2",
            "binary_name": "python3-pip-whl"
        }
    ]
}

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@2.3.0-2ubuntu0.2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.0-2ubuntu0.2

Affected versions

2.*

2.0.7-2

2.0.7-2ubuntu0.1

2.3.0-1

2.3.0-2

2.3.0-2ubuntu0.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.3.0-2ubuntu0.2",
            "binary_name": "python3-urllib3"
        }
    ]
}

Ubuntu:25.10

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@25.1.1+dfsg-1ubuntu2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.0+dfsg-1

25.1.1+dfsg-1

25.1.1+dfsg-1ubuntu1

25.1.1+dfsg-1ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip"
        },
        {
            "binary_version": "25.1.1+dfsg-1ubuntu2",
            "binary_name": "python3-pip-whl"
        }
    ]
}

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@2.3.0-3ubuntu0.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.0-3ubuntu0.1

Affected versions

2.*

2.3.0-2

2.3.0-2ubuntu1

2.3.0-3

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.3.0-3ubuntu0.1",
            "binary_name": "python3-urllib3"
        }
    ]
}

Ubuntu:Pro:14.04:LTS

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@1.5.4-1ubuntu4+esm5?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.1-2

1.5.4-1

1.5.4-1ubuntu1

1.5.4-1ubuntu3

1.5.4-1ubuntu4

1.5.4-1ubuntu4+esm1

1.5.4-1ubuntu4+esm2

1.5.4-1ubuntu4+esm3

1.5.4-1ubuntu4+esm4

1.5.4-1ubuntu4+esm5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "1.5.4-1ubuntu4+esm5",
            "binary_name": "python3-pip"
        }
    ]
}

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@1.7.1-1ubuntu4.1+esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6-2

1.7.1-1

1.7.1-1build1

1.7.1-1ubuntu0.1

1.7.1-1ubuntu3

1.7.1-1ubuntu4

1.7.1-1ubuntu4.1

1.7.1-1ubuntu4.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.7.1-1ubuntu4.1+esm1",
            "binary_name": "python-urllib3"
        },
        {
            "binary_version": "1.7.1-1ubuntu4.1+esm1",
            "binary_name": "python-urllib3-whl"
        },
        {
            "binary_version": "1.7.1-1ubuntu4.1+esm1",
            "binary_name": "python3-urllib3"
        }
    ]
}

Ubuntu:Pro:16.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@1.13.1-2ubuntu0.16.04.4+esm3?arch=source&distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11-1

1.12-1

1.13.1-1

1.13.1-2

1.13.1-2ubuntu0.16.04.1

1.13.1-2ubuntu0.16.04.2

1.13.1-2ubuntu0.16.04.3

1.13.1-2ubuntu0.16.04.4

1.13.1-2ubuntu0.16.04.4+esm1

1.13.1-2ubuntu0.16.04.4+esm2

1.13.1-2ubuntu0.16.04.4+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3",
            "binary_name": "python-urllib3"
        },
        {
            "binary_version": "1.13.1-2ubuntu0.16.04.4+esm3",
            "binary_name": "python3-urllib3"
        }
    ]
}

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@8.1.1-2ubuntu0.6+esm11?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.6-7ubuntu1

1.5.6-7ubuntu2

8.*

8.0.2-7

8.0.3-1

8.0.3-2

8.1.0-1

8.1.0-2

8.1.1-1

8.1.1-2

8.1.1-2ubuntu0.1

8.1.1-2ubuntu0.2

8.1.1-2ubuntu0.4

8.1.1-2ubuntu0.6

8.1.1-2ubuntu0.6+esm2

8.1.1-2ubuntu0.6+esm3

8.1.1-2ubuntu0.6+esm4

8.1.1-2ubuntu0.6+esm5

8.1.1-2ubuntu0.6+esm6

8.1.1-2ubuntu0.6+esm8

8.1.1-2ubuntu0.6+esm10

8.1.1-2ubuntu0.6+esm11

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm11",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm11",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "8.1.1-2ubuntu0.6+esm11",
            "binary_name": "python3-pip"
        }
    ]
}

Ubuntu:Pro:18.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@1.22-1ubuntu0.18.04.2+esm3?arch=source&distro=esm-infra/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.21.1-1

1.22-1

1.22-1ubuntu0.18.04.1

1.22-1ubuntu0.18.04.2

1.22-1ubuntu0.18.04.2+esm1

1.22-1ubuntu0.18.04.2+esm2

1.22-1ubuntu0.18.04.2+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3",
            "binary_name": "python-urllib3"
        },
        {
            "binary_version": "1.22-1ubuntu0.18.04.2+esm3",
            "binary_name": "python3-urllib3"
        }
    ]
}

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@9.0.1-2.3~ubuntu1.18.04.8+esm7?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.1-2

9.0.1-2.3~ubuntu1

9.0.1-2.3~ubuntu1.18.04.1

9.0.1-2.3~ubuntu1.18.04.2

9.0.1-2.3~ubuntu1.18.04.3

9.0.1-2.3~ubuntu1.18.04.4

9.0.1-2.3~ubuntu1.18.04.5

9.0.1-2.3~ubuntu1.18.04.5+esm2

9.0.1-2.3~ubuntu1.18.04.5+esm3

9.0.1-2.3~ubuntu1.18.04.6

9.0.1-2.3~ubuntu1.18.04.6+esm1

9.0.1-2.3~ubuntu1.18.04.7

9.0.1-2.3~ubuntu1.18.04.7+esm1

9.0.1-2.3~ubuntu1.18.04.8

9.0.1-2.3~ubuntu1.18.04.8+esm1

9.0.1-2.3~ubuntu1.18.04.8+esm2

9.0.1-2.3~ubuntu1.18.04.8+esm4

9.0.1-2.3~ubuntu1.18.04.8+esm6

9.0.1-2.3~ubuntu1.18.04.8+esm7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm7",
            "binary_name": "python-pip"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm7",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "9.0.1-2.3~ubuntu1.18.04.8+esm7",
            "binary_name": "python3-pip"
        }
    ]
}

Ubuntu:Pro:20.04:LTS

python-urllib3

Package

Name: python-urllib3
Purl: pkg:deb/ubuntu/python-urllib3@1.25.8-2ubuntu0.4+esm2?arch=source&distro=esm-infra/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.24.1-1ubuntu1

1.24.1-1ubuntu2

1.25.8-1

1.25.8-2

1.25.8-2ubuntu0.1

1.25.8-2ubuntu0.2

1.25.8-2ubuntu0.3

1.25.8-2ubuntu0.4

1.25.8-2ubuntu0.4+esm1

1.25.8-2ubuntu0.4+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.25.8-2ubuntu0.4+esm2",
            "binary_name": "python3-urllib3"
        }
    ]
}

python-pip

Package

Name: python-pip
Purl: pkg:deb/ubuntu/python-pip@20.0.2-5ubuntu1.11+esm3?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.1-5

18.1-5build1

18.1-5ubuntu1

20.*

20.0.2-2

20.0.2-4

20.0.2-5

20.0.2-5ubuntu1

20.0.2-5ubuntu1.1

20.0.2-5ubuntu1.3

20.0.2-5ubuntu1.4

20.0.2-5ubuntu1.5

20.0.2-5ubuntu1.6

20.0.2-5ubuntu1.7

20.0.2-5ubuntu1.8

20.0.2-5ubuntu1.9

20.0.2-5ubuntu1.10

20.0.2-5ubuntu1.10+esm2

20.0.2-5ubuntu1.11

20.0.2-5ubuntu1.11+esm2

20.0.2-5ubuntu1.11+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm3",
            "binary_name": "python-pip-whl"
        },
        {
            "binary_version": "20.0.2-5ubuntu1.11+esm3",
            "binary_name": "python3-pip"
        }
    ]
}