urllib3 2.0.0a1 vulnerabilities

Known vulnerabilities in the urllib3 package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Open Redirect urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Open Redirect due to the `retries` parameter being ignored during `PoolManager` instantiation. An attacker can access unintended resources or endpoints by leveraging automatic redirects when the application expects redirects to be disabled at the connection pool level. Note: `requests` and `botocore` users are not affected. How to fix Open Redirect? Upgrade `urllib3` to version 2.5.0 or higher.	[,2.5.0)
M Open Redirect urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Open Redirect when used within a Pyodide runtime utilizing the JavaScript Fetch API or falling back on `XMLHttpRequest`, due to the `retries` and `redirect` parameters being ignored and the runtime determining redirect behavior. An attacker can access sensitive information by leveraging uncontrolled redirects in browsers or Node.js environments. Notes: This is only exploitable if the application relies on the `retries` and `redirect` parameters to limit or prevent redirects; This issue was fixed in version 2.5.0 for Node.js environments but not for browsers due to `XMLHttpRequest` providing no control over redirects. Default browser behavior for redirects should be expected. How to fix Open Redirect? Upgrade `urllib3` to version 2.5.0 or higher.	[,2.5.0)
M Improper Removal of Sensitive Information Before Storage or Transfer urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the `Proxy-Authorization` header during cross-origin redirects when `ProxyManager` is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect. Notes: To be vulnerable, the application must be doing all of the following: Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. Not disabling HTTP redirects (e.g. with `redirects=False`) Either not using an HTTPS origin server, or having a proxy or target origin that redirects to a malicious origin. How to fix Improper Removal of Sensitive Information Before Storage or Transfer? Upgrade `urllib3` to version 1.26.19, 2.2.2 or higher.	[,1.26.19)[2.0.0a1,2.2.2)

Vulnerability

Vulnerable Version

Open Redirect

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Open Redirect due to the retries parameter being ignored during PoolManager instantiation. An attacker can access unintended resources or endpoints by leveraging automatic redirects when the application expects redirects to be disabled at the connection pool level.

Note:

requests and botocore users are not affected.

How to fix Open Redirect?

Upgrade urllib3 to version 2.5.0 or higher.

[,2.5.0)

Open Redirect

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Open Redirect when used within a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest, due to the retries and redirect parameters being ignored and the runtime determining redirect behavior. An attacker can access sensitive information by leveraging uncontrolled redirects in browsers or Node.js environments.

Notes:

This is only exploitable if the application relies on the retries and redirect parameters to limit or prevent redirects;
This issue was fixed in version 2.5.0 for Node.js environments but not for browsers due to XMLHttpRequest providing no control over redirects. Default browser behavior for redirects should be expected.

How to fix Open Redirect?

Upgrade urllib3 to version 2.5.0 or higher.

[,2.5.0)

Improper Removal of Sensitive Information Before Storage or Transfer

urllib3 is a HTTP library with thread-safe connection pooling, file post, and more.

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the improper handling of the Proxy-Authorization header during cross-origin redirects when ProxyManager is not in use. When the conditions below are met, including non-recommended configurations, the contents of this header can be sent in an automatic HTTP redirect.

Notes:

To be vulnerable, the application must be doing all of the following:

Setting the Proxy-Authorization header without using urllib3's built-in proxy support.
Not disabling HTTP redirects (e.g. with redirects=False)
Either not using an HTTPS origin server, or having a proxy or target origin that redirects to a malicious origin.

How to fix Improper Removal of Sensitive Information Before Storage or Transfer?

Upgrade urllib3 to version 1.26.19, 2.2.2 or higher.

[,1.26.19)[2.0.0a1,2.2.2)

urllib3@2.0.0a1 vulnerabilities

HTTP library with thread-safe connection pooling, file post, and more.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?