CVE-2025-50181

NameCVE-2025-50181
Descriptionurllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)bullseye1.26.5-1~exp1vulnerable
bullseye (security)1.26.5-1~exp1+deb11u1vulnerable
bookworm1.26.12-1+deb12u1vulnerable
sid, trixie2.3.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3source(unstable)(unfixed)

Notes

https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 (2.5.0)
Search for package or bug name: Reporting problems