Vulnerabilities affecting this package (0)
Vulnerability |
Summary |
Fixed by |
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
Vulnerability |
Summary |
Aliases |
VCID-drxa-m5zr-zfag
|
urllib3 does not control redirects in browsers and Node.js
urllib3 [supports](https://urllib3.readthedocs.io/en/2.4.0/reference/contrib/emscripten.html) being used in a Pyodide runtime utilizing the [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API) or falling back on [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest). This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides [a mechanism](https://urllib3.readthedocs.io/en/2.4.0/user-guide.html#retrying-requests) to control redirects.
However, the `retries` and `redirect` parameters are ignored with Pyodide; the runtime itself determines redirect behavior.
## Affected usages
Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.
## Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.
## Remediation
If you use urllib3 in Node.js, upgrade to a patched version of urllib3.
Unfortunately, browsers provide no suitable way which urllib3 can use: `XMLHttpRequest` provides no control over redirects, the Fetch API returns `opaqueredirect` responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.
|
CVE-2025-50182
GHSA-48p4-8xcf-vxj5
|
VCID-y7sq-a7ta-qye7
|
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
urllib3 handles redirects and retries using the same mechanism, which is controlled by the `Retry` object. The most common way to disable redirects is at the request level, as follows:
```python
resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)
# 302
```
However, it is also possible to disable redirects, for all requests, by instantiating a `PoolManager` and specifying `retries` in a way that disable redirects:
```python
import urllib3
http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above
http = urllib3.PoolManager(retries=False) # should return the first response
resp = http.request("GET", "https://httpbin.org/redirect/1")
```
However, the `retries` parameter is currently ignored, which means all the above examples don't disable redirects.
## Affected usages
Passing `retries` on `PoolManager` instantiation to disable redirects or restrict their number.
By default, requests and botocore users are not affected.
## Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.
## Remediation
You can remediate this vulnerability with the following steps:
* Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [sethmichaellarson@gmail.com](mailto:sethmichaellarson@gmail.com) to discuss sponsorship or contribution opportunities.
* Disable redirects at the `request()` level instead of the `PoolManager()` level.
|
CVE-2025-50181
GHSA-pq67-6m6q-mj2v
|