CVE-2025-50182

EUVD-2025-18677

19.06.2025, 02:15

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
GitHub_M	CNA	5.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
python	urllib3	2.2.0 ≤ 𝑥 < 2.5.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

python-pip

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

python-urllib3

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	Fixed 2.3.0-2ubuntu0.1 released
trusty	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f

https://github.com/urllib3/urllib3/releases/tag/2.5.0

https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5