SB2025062659 - Incorrect handling of redirects in urllib3
Published: June 26, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Protection Mechanism Failure (CVE-ID: CVE-2025-50182)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries in a Pyodide runtime. A remote attacker can force the library to follow redirects even if explicitly disabled.
2) Protection Mechanism Failure (CVE-ID: CVE-2025-50181)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries. A remote attacker can force the library to follow redirects even if explicitly disabled with PoolManager.
Remediation
Install update from vendor's website.
References
- https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f
- https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
- https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
- https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v