CVE-2025-50181

EUVD-2025-18908

19.06.2025, 01:15

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Affected Products (NVD)

Vendor	Product	Version
python	urllib3	𝑥 < 2.5.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
urllib3	urllib3	𝑥 < 2.5.0	CNA

Ubuntu Releases

Ubuntu Product

Codename

python-pip

bionic	not-affected
focal	not-affected
jammy	Fixed 22.0.2+dfsg-1ubuntu0.6 released
noble	Fixed 24.0+dfsg-1ubuntu1.2 released
oracular	Fixed 24.2+dfsg-1ubuntu0.2 released
plucky	Fixed 25.0+dfsg-1ubuntu0.1 released
trusty	not-affected
xenial	not-affected

python-urllib3

bionic	Fixed 1.22-1ubuntu0.18.04.2+esm3 released
focal	Fixed 1.25.8-2ubuntu0.4+esm1 released
jammy	Fixed 1.26.5-1~exp1ubuntu0.3 released
noble	Fixed 2.0.7-1ubuntu0.2 released
oracular	Fixed 2.0.7-2ubuntu0.2 released
plucky	Fixed 2.3.0-2ubuntu0.1 released
trusty	not-affected
xenial	Fixed 1.13.1-2ubuntu0.16.04.4+esm3 released

openSUSE / SLES Releases

openSUSE Product

Release

python-urllib3

suse enterprise sap 12	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP3	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP4	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP5	1.25.10-3.43.1 fixed
suse enterprise server 12	1.25.10-3.43.1 fixed
suse enterprise server 12 SP3	1.25.10-3.43.1 fixed
suse enterprise server 12 SP4	1.25.10-3.43.1 fixed
suse enterprise server 12 SP5	1.25.10-3.43.1 fixed

python3-urllib3

suse enterprise sap 12	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP3	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP4	1.25.10-3.43.1 fixed
suse enterprise sap 12 SP5	1.25.10-3.43.1 fixed
suse enterprise server 12	1.25.10-3.43.1 fixed
suse enterprise server 12 SP3	1.25.10-3.43.1 fixed
suse enterprise server 12 SP4	1.25.10-3.43.1 fixed
suse enterprise server 12 SP5	1.25.10-3.43.1 fixed
suse enterprise server 15 SP4	1.25.10-150300.4.18.1 fixed

python311-urllib3

suse enterprise server 15 SP4

2.0.7-150400.7.21.1

fixed

python36-urllib3

suse enterprise server 12 SP3

1.25.10-6.9.1

fixed

Known Exploits!

https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857

https://github.com/urllib3/urllib3/releases/tag/2.5.0

https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v