This advisory covers three vulnerabilities in the python3.11-urllib3 package affecting Red Hat Enterprise Linux 9.4 EUS. CVE-2025-66418 involves an unbounded decompression chain that can lead to resource exhaustion. CVE-2025-66471 concerns improper handling of highly compressed data in the urllib3 streaming API. CVE-2026-21441 describes a bypass of the decompression-bomb safeguard when following HTTP redirects in the streaming API. These issues could allow an attacker to cause denial of service through resource exhaustion or bypass protections designed to prevent decompression bombs. Red Hat has released updated python3.11-urllib3 packages that fix these vulnerabilities. The advisory is rated as Important by Red Hat Product Security. No CVSS scores are provided in the advisory, but the severity is assessed as high based on the impact descriptions.

The vulnerabilities can lead to resource exhaustion on affected systems due to unbounded decompression chains and improper handling of compressed data, potentially causing denial of service conditions. The decompression-bomb safeguard bypass could allow attackers to circumvent protections designed to prevent excessive resource consumption during HTTP redirects. There are no reports of known exploits in the wild at this time. The impact is primarily on system availability and stability when processing maliciously crafted compressed data via urllib3.

Red Hat has released updated python3.11-urllib3 packages for Red Hat Enterprise Linux 9.4 Extended Update Support that address these vulnerabilities. Users should apply these official updates as soon as possible to remediate the issues. For detailed update instructions, refer to the Red Hat advisory at https://access.redhat.com/articles/11258. There is no indication from the vendor advisory that additional mitigations or workarounds are required beyond applying the provided patches.