Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/50428?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/50428?format=api", "purl": "pkg:pypi/urllib3@2.2.2", "type": "pypi", "namespace": "", "name": "urllib3", "version": "2.2.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.7.0", "latest_non_vulnerable_version": "2.7.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37336?format=api", "vulnerability_id": "VCID-ueb4-ur9q-u3e1", "summary": "urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44431.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44431.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44431", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02187", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44431" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44431", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44431" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/urllib3/urllib3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/urllib3/urllib3" }, { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T16:51:26Z/" } ], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44431", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44431" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136653", "reference_id": "1136653", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136653" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477167", "reference_id": "2477167", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477167" }, { "reference_url": "https://usn.ubuntu.com/8379-1/", "reference_id": "USN-8379-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8379-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50437?format=api", "purl": "pkg:pypi/urllib3@2.7.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.7.0" } ], "aliases": [ "CVE-2026-44431", "GHSA-qccp-gfcp-xxvc", "PYSEC-2026-141" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ueb4-ur9q-u3e1" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55383?format=api", "vulnerability_id": "VCID-136z-72qc-13aw", "summary": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects\nWhen using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37891.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37891", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44925", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37891" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37891" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/urllib3/urllib3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/urllib3/urllib3" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468" }, { "reference_url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T13:49:45Z/" } ], "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240822-0003", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240822-0003" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149", "reference_id": "1074149", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074149" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788", "reference_id": "2292788", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292788" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891", "reference_id": "CVE-2024-37891", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891" }, { "reference_url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf", "reference_id": "GHSA-34jh-p97f-mpxf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-34jh-p97f-mpxf" }, { "reference_url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf", "reference_id": "GHSA-34jh-p97f-mpxf", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T13:49:45Z/" } ], "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4422", "reference_id": "RHSA-2024:4422", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4422" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4730", "reference_id": "RHSA-2024:4730", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4730" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4744", "reference_id": "RHSA-2024:4744", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4744" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4746", "reference_id": "RHSA-2024:4746", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4746" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5041", "reference_id": "RHSA-2024:5041", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5041" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5309", "reference_id": "RHSA-2024:5309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5526", "reference_id": "RHSA-2024:5526", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5526" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5622", "reference_id": "RHSA-2024:5622", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5622" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5627", "reference_id": "RHSA-2024:5627", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5627" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5633", "reference_id": "RHSA-2024:5633", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5633" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6162", "reference_id": "RHSA-2024:6162", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6162" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6239", "reference_id": "RHSA-2024:6239", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6239" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6240", "reference_id": "RHSA-2024:6240", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6240" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6309", "reference_id": "RHSA-2024:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6310", "reference_id": "RHSA-2024:6310", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6310" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6311", "reference_id": "RHSA-2024:6311", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6311" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6358", "reference_id": "RHSA-2024:6358", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6358" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7312", "reference_id": "RHSA-2024:7312", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7312" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8035", "reference_id": "RHSA-2024:8035", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8035" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8842", "reference_id": "RHSA-2024:8842", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8842" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8843", "reference_id": "RHSA-2024:8843", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8843" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8906", "reference_id": "RHSA-2024:8906", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8906" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9457", "reference_id": "RHSA-2024:9457", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9457" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9458", "reference_id": "RHSA-2024:9458", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9458" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9922", "reference_id": "RHSA-2024:9922", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9922" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9923", "reference_id": "RHSA-2024:9923", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9923" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:9985", "reference_id": "RHSA-2024:9985", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:9985" }, { "reference_url": "https://usn.ubuntu.com/7084-1/", "reference_id": "USN-7084-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7084-1/" }, { "reference_url": "https://usn.ubuntu.com/7084-2/", "reference_id": "USN-7084-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7084-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50419?format=api", "purl": "pkg:pypi/urllib3@1.26.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ueb4-ur9q-u3e1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@1.26.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/50428?format=api", "purl": "pkg:pypi/urllib3@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ueb4-ur9q-u3e1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.2.2" } ], "aliases": [ "CVE-2024-37891", "GHSA-34jh-p97f-mpxf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-136z-72qc-13aw" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/urllib3@2.2.2" }