Skip to content

🔒 Security: Fix CVE-2025-66471 by upgrading urllib3 to 2.6.2 #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
matrixise merged 2 commits into from
Dec 23, 2025
Merged

🔒 Security: Fix CVE-2025-66471 by upgrading urllib3 to 2.6.2 #170

matrixise merged 2 commits into from
Dec 23, 2025

Conversation

@matrixise
Copy link
Contributor

@matrixise matrixise commented Dec 23, 2025

🔒 Security Fix

This PR addresses Dependabot security alert #120 by upgrading urllib3 from version 2.5.0 to 2.6.2.

Vulnerability Details

  • CVE: CVE-2025-66471
  • GHSA: GHSA-2xpw-w6gg-jr37
  • Severity: High (CVSS v4 score: 8.9/10)
  • CWE: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
  • Published: December 5, 2025

Impact

The urllib3 streaming API improperly handles highly compressed data. When streaming a compressed HTTP response, urllib3 could decompress a small amount of highly compressed data in a single operation, leading to:

  • ⚠️ Excessive CPU usage
  • ⚠️ Massive memory allocation for decompressed data
  • ⚠️ Potential denial of service (DoS) attacks

Applications using urllib3's streaming methods (stream(), read(), read1(), read_chunked(), readinto()) to handle compressed responses from untrusted sources were vulnerable.

Fix

Upgraded urllib3 to version 2.6.2, which includes proper limits to prevent decompressing data that exceeds the requested amount.

Files Changed

  • requirements/dev.txt - urllib3: 2.5.0 → 2.6.2
  • requirements/main.txt - urllib3: 2.5.0 → 2.6.2
  • requirements/production.txt - Added typing-extensions dependency

References

Closes #120

@matrixise
🔒️ chore: add sensitive files to gitignore
6e78427 
- Ignore environment files (.envrc, development.env, production.env)
- Ignore database dumps (*.dump, *.duckdb)
- Ignore local settings (pythonie/pythonie/settings/pgdev.py)
- Ignore MinIO data directory (mc/)
- Ignore personal notes (TODO.md)
@matrixise
🔒 security: upgrade urllib3 to 2.6.2 to fix CVE-2025-66471
b8bedaf 
Upgrade urllib3 from 2.5.0 to 2.6.2 to address CVE-2025-66471 (GHSA-2xpw-w6gg-jr37), a high-severity vulnerability related to improper handling of highly compressed data in the streaming API.

This vulnerability could lead to excessive CPU and memory consumption when processing highly compressed responses from untrusted sources, potentially causing denial of service.

Fixes: #120
Severity: High (CVSS v4: 8.9)
CWE-409: Improper Handling of Highly Compressed Data
@matrixise matrixise self-assigned this Dec 23, 2025
@matrixise matrixise merged commit 25078af into master Dec 23, 2025
2 checks passed
@matrixise matrixise deleted the security/fix-urllib3-cve-2025-66471 branch January 7, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@matrixise matrixise

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matrixise