False positive: CVE-2025-66418, CVE-2025-66471, python3-urllib3, CVE-2026-21441

[etarast]

Question

We were running Trivy scan on image that use python3-urllib3 patched version as per changelog via SUSE Program Temporary Fix (PTF) 1.25.10-150300.4.18.1.30994.1.PTF.1257371

According to SUSE Advisory:
python3-urllib3 >= 1.25.10-150300.4.21.1
python311-urllib3 >= 2.0.7-150400.7.27.1
python311-urllib3_1 >= 1.26.18-150600.3.6.1

Trivy reports
"VulnerabilityID": "SUSE-SU-2026:0443-1",
"PkgID": "python3-urllib3@1.25.10-150300.4.18.1.30994.1.PTF.1257371.noarch",
"PkgName": "python3-urllib3",
"PkgIdentifier": {
"PURL": "pkg:rpm/suse/python3-urllib3@1.25.10-150300.4.18.1.30994.1.PTF.1257371?arch=noarch\u0026distro=sles-15.7",
"UID": "8436e187bad5ba58"
},
"InstalledVersion": "1.25.10-150300.4.18.1.30994.1.PTF.1257371",
"FixedVersion": "1.25.10-150300.4.21.1",
"Status": "fixed",
"Layer": {
"DiffID": "sha256:eee43940cdbeb635cb0ce01f30b118a3e59e03405e874f5617f148ed723713d4"
},
"SeveritySource": "suse-cvrf",
"DataSource": {
"ID": "suse-cvrf",
"Name": "SUSE CVRF",
"URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
},
"Title": "Security update for python-urllib3",
"Description": "This update for python-urllib3_1 fixes the following issues:\n\n- CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API (bsc#1254867).\n- CVE-2025-66418: resource exhaustion via unbounded number of links in the decompression chain (bsc#1254866).\n- CVE-2026-21441: excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).\n",
"Severity": "MEDIUM",
"VendorSeverity": {
"suse-cvrf": 2
},
"References": [
"https://bugzilla.suse.com/1254866",
"https://bugzilla.suse.com/1254867",
"https://bugzilla.suse.com/1256331",
"https://lists.suse.com/pipermail/sle-security-updates/2026-February/024105.html",
"https://www.suse.com/security/cve/CVE-2025-66418/",
"https://www.suse.com/security/cve/CVE-2025-66471/",
"https://www.suse.com/security/cve/CVE-2026-21441/",
"https://www.suse.com/support/security/rating/",
"https://www.suse.com/support/update/announcement/2026/suse-su-20260443-1/"
]

But according to SUSE Program Temporary Fix (PTF) it is already patched:
Ref Security update for python-urllib3_1 SUSE Support

1254866 – (CVE-2025-66418) VUL-0: CVE-2025-66418: python-urllib3,python-urllib3_1,python36-urllib3: resource exhaustion via unbounded number of links in the decompression chain

So, has Trivy looking into SUSE PTF?

Target

None

Scanner

Vulnerability

Output Format

JSON

Mode

None

Operating System

SUSE Linux Enterprise Server 15 SP7

Version

v.0.69.1

[DmitriyLewen]

Hi @etarast ,

SUSE has 2 advisories fixing these CVEs:
https://www.suse.com/support/update/announcement/2026/suse-su-20260635-1/
https://www.suse.com/support/update/announcement/2026/suse-su-20260443-1/
And the fixed packages are different for different SUSE versions.
Which SUSE version are you using?

[eottsab]

Hi @DmitriyLewen
We use SUSE Linux Enterprise Server 15 SP7.
BRs
Sabrina

[DmitriyLewen]

Hi @eottsab ,

Sorry for the confusion in my previous reply — I also missed that SUSE-SU-2026:0635-1 only covers python311-urllib3_1, not your package. Let me clarify the full picture:

  │       Package       │      Advisory       │     Fixed version     │                      CVEs                      │
  ├─────────────────────┼─────────────────────┼───────────────────────┼────────────────────────────────────────────────┤
  │ python3-urllib3     │ SUSE-SU-2026:0443-1 │ 1.25.10-150300.4.21.1 │ CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 │
  ├─────────────────────┼─────────────────────┼───────────────────────┼────────────────────────────────────────────────┤
  │ python311-urllib3   │ SUSE-SU-2026:0255-1 │ 2.0.7-150400.7.24.1   │ CVE-2026-21441                                 │
  ├─────────────────────┼─────────────────────┼───────────────────────┼────────────────────────────────────────────────┤
  │ python311-urllib3   │ SUSE-SU-2026:0367-1 │ 2.0.7-150400.7.27.1   │ CVE-2025-66471, CVE-2025-66418                 │
  ├─────────────────────┼─────────────────────┼───────────────────────┼────────────────────────────────────────────────┤
  │ python311-urllib3_1 │ SUSE-SU-2026:0635-1 │ 1.26.18-150600.3.6.1  │ CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 │
  └─────────────────────┴─────────────────────┴───────────────────────┴────────────────────────────────────────────────┘

Your installed package is python3-urllib3@1.25.10-150300.4.18.1.30994.1.PTF.1257371, so the relevant advisory is SUSE-SU-2026:0443-1, which requires version 1.25.10-150300.4.21.1.

The PTF version you have (4.18.1.PTF.1257371) is lower than the fixed version (4.21.1), so Trivy's report is correct. PTFs are out-of-band fixes and do not replace the official advisory package. You would need to update python3-urllib3 to
1.25.10-150300.4.21.1 via the standard SUSE update channel.

[eottsab]

Hi @DmitriyLewen

What you wrote does not prove that the report is correct, but only that Trivy is not able to recognize the patch.
Question here was not to validate the False Positive which has already been conclusively confirmed by the changelog:

rpm -q --changelog python3-urllib3-1.25.10-150300.4.18.1.30994.1.PTF.1257371.noarch

• Thu Jan 29 2026 lidong.zhong@suse.com

• Add security patches(bsc#1257371, CVE-2025-66471, CVE-2025-66418):
  • CVE-2025-66471 (bsc#1254867)
  • CVE-2025-66418 (bsc#1254866)

But to know whether there is a plan to resolve this issue and avoid reporting false positives in case the fix comes through SUSE Program Temporary Fix (PTF) and make Trivy more reliable.
Any answer on that?
Thanks
Sabrina