{"schema_version":"1.7.2","id":"OESA-2026-1234","modified":"2026-01-23T12:24:06Z","published":"2026-01-23T12:24:06Z","upstream":["CVE-2025-66418"],"summary":"python-urllib3 security update","details":"HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more.\r\n\r\nSecurity Fix(es):\n\nurllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.(CVE-2025-66418)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"python-urllib3","purl":"pkg:rpm/openEuler/python-urllib3&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.18-4.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["python3-urllib3-1.26.18-4.oe2403sp1.noarch.rpm"],"src":["python-urllib3-1.26.18-4.oe2403sp1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1234"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66418"}],"database_specific":{"severity":"High"}}