VulnerableCode Package Details - pkg:deb/debian/python-urllib3@1.26.12-1%2Bdeb12u2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7wcj-zvjq-xud3	urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation urllib3 handles redirects and retries using the same mechanism, which is controlled by the `Retry` object. The most common way to disable redirects is at the request level, as follows: ```python resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False) print(resp.status) # 302 ``` However, it is also possible to disable redirects, for all requests, by instantiating a `PoolManager` and specifying `retries` in a way that disable redirects: ```python import urllib3 http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above http = urllib3.PoolManager(retries=False) # should return the first response resp = http.request("GET", "https://httpbin.org/redirect/1") ``` However, the `retries` parameter is currently ignored, which means all the above examples don't disable redirects. ## Affected usages Passing `retries` on `PoolManager` instantiation to disable redirects or restrict their number. By default, requests and botocore users are not affected. ## Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. ## Remediation You can remediate this vulnerability with the following steps: * Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com) to discuss sponsorship or contribution opportunities. * Disable redirects at the `request()` level instead of the `PoolManager()` level.	CVE-2025-50181 GHSA-pq67-6m6q-mj2v
VCID-v365-pn8r-e7dh	urllib3 allows an unbounded number of links in the decompression chain urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`). However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.	CVE-2025-66418 GHSA-gm62-xv2j-4w53

Vulnerability

Summary

Aliases

VCID-7wcj-zvjq-xud3

urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation urllib3 handles redirects and retries using the same mechanism, which is controlled by the `Retry` object. The most common way to disable redirects is at the request level, as follows: ```python resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False) print(resp.status) # 302 ``` However, it is also possible to disable redirects, for all requests, by instantiating a `PoolManager` and specifying `retries` in a way that disable redirects: ```python import urllib3 http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above http = urllib3.PoolManager(retries=False) # should return the first response resp = http.request("GET", "https://httpbin.org/redirect/1") ``` However, the `retries` parameter is currently ignored, which means all the above examples don't disable redirects. ## Affected usages Passing `retries` on `PoolManager` instantiation to disable redirects or restrict their number. By default, requests and botocore users are not affected. ## Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. ## Remediation You can remediate this vulnerability with the following steps: * Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com) to discuss sponsorship or contribution opportunities. * Disable redirects at the `request()` level instead of the `PoolManager()` level.

CVE-2025-50181
GHSA-pq67-6m6q-mj2v

VCID-v365-pn8r-e7dh

urllib3 allows an unbounded number of links in the decompression chain urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`). However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.

CVE-2025-66418
GHSA-gm62-xv2j-4w53

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:07:04.406261+00:00	Debian Importer	Fixing	VCID-v365-pn8r-e7dh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:40:17.922932+00:00	Debian Importer	Fixing	VCID-7wcj-zvjq-xud3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:17:06.408551+00:00	Debian Importer	Fixing	VCID-v365-pn8r-e7dh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:13:03.402454+00:00	Debian Importer	Fixing	VCID-7wcj-zvjq-xud3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:50:56.004640+00:00	Debian Importer	Fixing	VCID-v365-pn8r-e7dh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:50:55.879397+00:00	Debian Importer	Fixing	VCID-7wcj-zvjq-xud3	https://security-tracker.debian.org/tracker/data/json	38.1.0