Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2026-03452

Опубликовано: 05 дек. 2025
Источник: fstec
CVSS3: 8.6
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость HTTP библиотеки Urllib3 языка программирования Python связана с некорректной обработкой сильно сжатых входных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Вендор

Red Hat Inc.
Canonical Ltd.
Fedora Project
ООО «Ред Софт»
Andrey Petrov

Наименование ПО

Red Hat Enterprise Linux
OpenShift Container Platform
Red Hat Openshift Data Foundation
Red Hat Satellite
Migration Toolkit for Virtualization
OpenShift Serverless
Red Hat Ansible Automation Platform
OpenShift Dev Spaces
Red Hat OpenStack Platform
Migration Toolkit for Containers
OpenShift Pipelines
Red Hat Ceph Storage
Logging subsystem for Red Hat OpenShift
Red Hat Developer Hub
multicluster engine for Kubernetes
Ubuntu
OpenShift AI
Red Hat OpenShift Lightspeed
Fedora
Red Hat AI Inference Server
Builds for Red Hat OpenShift
Confidential Compute Attestation
Multiarch Tuning Operator
Fedora EPEL
Red Hat OpenShift GitOps
РЕД ОС
RHUI
cert-manager Operator for Red Hat OpenShift
OpenShift API for Data Protection
Multicluster Global Hub
Red Hat Quay
Red Hat Trusted Artifact Signer
Mirror registry for Red Hat OpenShift
Red Hat build of Quarkus Native builder
Red Hat Certification Program for Red Hat Enterprise Linux
Red Hat Connectivity Link
Red Hat Edge Manager preview
Red Hat Enterprise Linux AI
Red Hat Offline Knowledge Portal
Discovery
Network Observability
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Update Infrastructure
External Secrets Operator for Red Hat OpenShift
Fence Agents Remediation Operator
Red Hat Ansible Automation Platform Ansible Core
urllib3

Версия ПО

6 (Red Hat Enterprise Linux)
7 (Red Hat Enterprise Linux)
8 (Red Hat Enterprise Linux)
4 (OpenShift Container Platform)
4 (Red Hat Openshift Data Foundation)
6 (Red Hat Satellite)
9 (Red Hat Enterprise Linux)
8.2 Advanced Update Support (Red Hat Enterprise Linux)
- (Migration Toolkit for Virtualization)
- (OpenShift Serverless)
2 (Red Hat Ansible Automation Platform)
8.4 Advanced Mission Critical Update Support (Red Hat Enterprise Linux)
- (OpenShift Dev Spaces)
17.1 (Red Hat OpenStack Platform)
- (Migration Toolkit for Containers)
- (OpenShift Pipelines)
6 (Red Hat Ceph Storage)
2.4 (Red Hat Ansible Automation Platform)
- (Logging subsystem for Red Hat OpenShift)
- (Red Hat Developer Hub)
- (multicluster engine for Kubernetes)
24.04 LTS (Ubuntu)
7 (Red Hat Ceph Storage)
9.0 Update Services for SAP Solutions (Red Hat Enterprise Linux)
8.6 Update Services for SAP Solutions (Red Hat Enterprise Linux)
8.6 Telecommunications Update Service (Red Hat Enterprise Linux)
8.6 Advanced Mission Critical Update Support (Red Hat Enterprise Linux)
7 Extended Lifecycle Support (Red Hat Enterprise Linux)
- (OpenShift AI)
6.16 for RHEL 8 (Red Hat Satellite)
6.16 for RHEL 9 (Red Hat Satellite)
9.4 Extended Update Support (Red Hat Enterprise Linux)
2.4 for RHEL 8 (Red Hat Ansible Automation Platform)
2.4 for RHEL 9 (Red Hat Ansible Automation Platform)
8 (Red Hat Ceph Storage)
- (Red Hat OpenShift Lightspeed)
2.5 for RHEL 8 (Red Hat Ansible Automation Platform)
2.5 for RHEL 9 (Red Hat Ansible Automation Platform)
42 (Fedora)
10 (Red Hat Enterprise Linux)
8.8 Telecommunications Update Service (Red Hat Enterprise Linux)
8.8 Update Services for SAP Solutions (Red Hat Enterprise Linux)
9.2 Update Services for SAP Solutions (Red Hat Enterprise Linux)
- (Red Hat AI Inference Server)
- (Builds for Red Hat OpenShift)
- (Confidential Compute Attestation)
- (Multiarch Tuning Operator)
epel9 (Fedora EPEL)
8.4 Extended Update Support Long-Life Add-On (Red Hat Enterprise Linux)
epel10 (Fedora EPEL)
43 (Fedora)
1.17 (Red Hat OpenShift GitOps)
25.10 (Ubuntu)
9.6 Extended Update Support (Red Hat Enterprise Linux)
8.0 (РЕД ОС)
9 (Red Hat Ceph Storage)
10.0 Extended Update Support (Red Hat Enterprise Linux)
6.17 for RHEL 9 (Red Hat Satellite)
4 for RHEL 8 (RHUI)
1.18 (cert-manager Operator for Red Hat OpenShift)
1.3 (OpenShift API for Data Protection)
3.2 (Red Hat AI Inference Server)
1.4.4 (Multicluster Global Hub)
1.5.3 (Multicluster Global Hub)
2.25 (OpenShift AI)
3.26 (OpenShift Dev Spaces)
1.18 (Red Hat OpenShift GitOps)
3.1 (Red Hat Quay)
3.12 (Red Hat Quay)
3.13 (Red Hat Quay)
3.15 (Red Hat Quay)
3.16 (Red Hat Quay)
6.18 (Red Hat Satellite)
1.2 (Red Hat Trusted Artifact Signer)
1.3 (Red Hat Trusted Artifact Signer)
2 (Mirror registry for Red Hat OpenShift)
- (Red Hat build of Quarkus Native builder)
9 (Red Hat Certification Program for Red Hat Enterprise Linux)
1 (Red Hat Connectivity Link)
- (Red Hat Edge Manager preview)
3 (Red Hat Enterprise Linux AI)
- (Red Hat Offline Knowledge Portal)
2.6 for RHEL 9 (Red Hat Ansible Automation Platform)
2.5 (Red Hat Ansible Automation Platform)
2 (Discovery)
6.18 for RHEL 9 (Red Hat Satellite)
1.11.0 (Network Observability)
4.8 (Red Hat Advanced Cluster Management for Kubernetes)
4.9 (Red Hat Advanced Cluster Management for Kubernetes)
2.6 (Red Hat Ansible Automation Platform)
3.3 (OpenShift AI)
5 (Red Hat Update Infrastructure)
- (External Secrets Operator for Red Hat OpenShift)
- (Fence Agents Remediation Operator)
2 (Red Hat Ansible Automation Platform Ansible Core)
от 1.0 до 2.6.0 (urllib3)

Тип ПО

Операционная система
Прикладное ПО информационных систем
ПО виртуализации/ПО виртуального программно-аппаратного средства
Сетевое программное средство
ПО программно-аппаратного средства
Сетевое средство
ПО для разработки ИИ

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 6
Red Hat Inc. Red Hat Enterprise Linux 7
Red Hat Inc. Red Hat Enterprise Linux 8
Red Hat Inc. Red Hat Enterprise Linux 9
Red Hat Inc. Red Hat Enterprise Linux 8.2 Advanced Update Support
Red Hat Inc. Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Canonical Ltd. Ubuntu 24.04 LTS
Red Hat Inc. Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
Red Hat Inc. Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Red Hat Inc. Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Red Hat Inc. Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Red Hat Inc. Red Hat Enterprise Linux 7 Extended Lifecycle Support
Red Hat Inc. Red Hat Enterprise Linux 9.4 Extended Update Support
Fedora Project Fedora 42
Red Hat Inc. Red Hat Enterprise Linux 10
Red Hat Inc. Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Red Hat Inc. Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Red Hat Inc. Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Red Hat Inc. Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
Fedora Project Fedora 43
Canonical Ltd. Ubuntu 25.10
Red Hat Inc. Red Hat Enterprise Linux 9.6 Extended Update Support
ООО «Ред Софт» РЕД ОС 8.0
Red Hat Inc. Red Hat Enterprise Linux 10.0 Extended Update Support
Red Hat Inc. Red Hat Enterprise Linux AI 3

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.1 составляет 8,6)

Возможные меры по устранению уязвимости

В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года.
Использование рекомендаций:
Для Urllib3:
https://github.com/urllib3/urllib3
https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7
Для Ред ОС:
http://repo.red-soft.ru/redos/8.0/x86_64/updates/
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2025-66471
Для Ubuntu:
https://ubuntu.com/security/CVE-2025-66471
Для Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-66471

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 7%
0.00027
Низкий

8.6 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2025-66471

CVSS3: 7.5
ubuntu
4 месяца назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

redhat логотип

CVE-2025-66471

CVSS3: 7.5
redhat
4 месяца назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

nvd логотип

CVE-2025-66471

CVSS3: 7.5
nvd
4 месяца назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

msrc логотип

CVE-2025-66471

msrc
4 месяца назад

urllib3 Streaming API improperly handles highly compressed data

debian логотип

CVE-2025-66471

CVSS3: 7.5
debian
4 месяца назад

urllib3 is a user-friendly HTTP client library for Python. Starting in ...

EPSS

Процентиль: 7%
0.00027
Низкий

8.6 High

CVSS3

7.8 High

CVSS2

Уязвимость BDU:2026-03452