VulnerableCode Package Details - pkg:deb/debian/python-urllib3@0?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dxkv-8f9g-47e9	urllib3 does not control redirects in browsers and Node.js urllib3 [supports](https://urllib3.readthedocs.io/en/2.4.0/reference/contrib/emscripten.html) being used in a Pyodide runtime utilizing the [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) or falling back on [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest). This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides [a mechanism](https://urllib3.readthedocs.io/en/2.4.0/user-guide.html#retrying-requests) to control redirects. However, the `retries` and `redirect` parameters are ignored with Pyodide; the runtime itself determines redirect behavior. ## Affected usages Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime. ## Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable. ## Remediation If you use urllib3 in Node.js, upgrade to a patched version of urllib3. Unfortunately, browsers provide no suitable way which urllib3 can use: `XMLHttpRequest` provides no control over redirects, the Fetch API returns `opaqueredirect` responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.	CVE-2025-50182 GHSA-48p4-8xcf-vxj5
VCID-z965-xgv5-fqet	Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.	CVE-2016-9015 GHSA-v4w5-p2hg-8fh6 PYSEC-2017-98

Vulnerability

Summary

Aliases

VCID-dxkv-8f9g-47e9

urllib3 does not control redirects in browsers and Node.js urllib3 [supports](https://urllib3.readthedocs.io/en/2.4.0/reference/contrib/emscripten.html) being used in a Pyodide runtime utilizing the [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) or falling back on [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest). This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides [a mechanism](https://urllib3.readthedocs.io/en/2.4.0/user-guide.html#retrying-requests) to control redirects. However, the `retries` and `redirect` parameters are ignored with Pyodide; the runtime itself determines redirect behavior. ## Affected usages Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime. ## Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable. ## Remediation If you use urllib3 in Node.js, upgrade to a patched version of urllib3. Unfortunately, browsers provide no suitable way which urllib3 can use: `XMLHttpRequest` provides no control over redirects, the Fetch API returns `opaqueredirect` responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

CVE-2025-50182
GHSA-48p4-8xcf-vxj5

VCID-z965-xgv5-fqet

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low.

CVE-2016-9015
GHSA-v4w5-p2hg-8fh6
PYSEC-2017-98

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:13:59.555340+00:00	Debian Importer	Fixing	VCID-z965-xgv5-fqet	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:21:04.313977+00:00	Debian Importer	Fixing	VCID-dxkv-8f9g-47e9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T06:52:50.789279+00:00	Debian Importer	Fixing	VCID-z965-xgv5-fqet	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:14:47.653322+00:00	Debian Importer	Fixing	VCID-dxkv-8f9g-47e9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:55.947432+00:00	Debian Importer	Fixing	VCID-dxkv-8f9g-47e9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:55.281979+00:00	Debian Importer	Fixing	VCID-z965-xgv5-fqet	https://security-tracker.debian.org/tracker/data/json	38.1.0