diff --git a/backport-CVE-2025-66418.patch b/backport-CVE-2025-66418.patch
new file mode 100644
index 0000000000000000000000000000000000000000..29f83a5093b090dc4f9466afb61323b1ec5c6010
--- /dev/null
+++ b/backport-CVE-2025-66418.patch
@@ -0,0 +1,66 @@
+From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:41:33 +0200
+Subject: [PATCH] Merge commit from fork
+
+* Add a hard-coded limit for the decompression chain
+
+* Reuse new list
+
+Reference:https://github.com/urllib3/urllib3/commit/24d7b67e.patch
+Conflict:response.py has been refactored and need adaptation,
+test_response.py needs to be adapted because some test cases were not
+merged.
+---
+ src/urllib3/response.py | 12 +++++++++++-
+ test/test_response.py   | 10 ++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index 0bd13d4..143d0ea 100644
+--- a/src/urllib3/response.py
++++ b/src/urllib3/response.py
+@@ -135,8 +135,18 @@ class MultiDecoder(object):
+         they were applied.
+     """
+ 
++    # Maximum allowed number of chained HTTP encodings in the
++    # Content-Encoding header.
++    max_decode_links = 5
++
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
++        encodings = [m.strip() for m in modes.split(",")]
++        if len(encodings) > self.max_decode_links:
++            raise DecodeError(
++                "Too many content encodings in the chain: "
++                f"{len(encodings)} > {self.max_decode_links}"
++            )
++        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+diff --git a/test/test_response.py b/test/test_response.py
+index 653df91..5c4fb19 100644
+--- a/test/test_response.py
++++ b/test/test_response.py
+@@ -298,6 +298,16 @@ class TestResponse(object):
+ 
+         assert r.data == b"foo"
+ 
++    def test_read_multi_decoding_too_many_links(self):
++        fp = BytesIO(b"foo")
++        with pytest.raises(
++            DecodeError, match="Too many content encodings in the chain: 6 > 5"
++        ):
++            HTTPResponse(
++                fp,
++                headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
++            )
++
+     def test_body_blob(self):
+         resp = HTTPResponse(b"foo")
+         assert resp.data == b"foo"
+-- 
+2.43.0
+
diff --git a/python-urllib3.spec b/python-urllib3.spec
index 6d5d3b5552462995d10ee0ea8e9b8f6ee64e5643..cbdfd21d0c501bf82c36a0fb05d6e291091f7eb7 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -3,7 +3,7 @@
 
 Name:           python-%{srcname}
 Version:        1.26.18
-Release:        3
+Release:        4
 Summary:        Sanity-friendly HTTP client for Python
 License:        MIT
 URL:            https://urllib3.readthedocs.io
@@ -14,6 +14,7 @@ Patch0001:      remove_mock.patch
 
 Patch6000:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 Patch6001:      backport-CVE-2025-50181-fix-suspend-redirec-ineffective.patch
+Patch6002:      backport-CVE-2025-66418.patch
 
 BuildArch:      noarch
 
@@ -79,7 +80,13 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt
 %{python3_sitelib}/urllib3-*.egg-info
 
 %changelog
-* Tue Jul 2025 tangce <tangce1@huawei.com> - 1.26.18-3
+* Thu Dec 11 2025 tangce <tangce1@h-partners.com> - 1.26.18-4
+- Type:CVE
+- CVE:CVE-2025-66418
+- SUG:NA
+- DESC:fix CVE-2025-66418
+
+* Tue Jul 22 2025 tangce <tangce1@huawei.com> - 1.26.18-3
 - Type:CVE
 - CVE:CVE-2025-50181
 - SUG:NA