How to fix CVE-2025-50181?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Python affected by CVE-2025-50181?

Organizations using urllib3 should be aware of moderate risk from CVE-2025-50181 rated CVSS 5.3. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available. A patch is available and should be applied during regular vulnerability management.

CVE-2025-50181

EUVD-2025-18908 MEDIUM

2025-06-19 [email protected]

GHSA-pq67-6m6q-mj2v

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18908

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

Patch Released

Mar 15, 2026 - 00:08 nvd

Patch available

PoC Detected

Dec 22, 2025 - 19:15 vuln.today

Public exploit code

CVE Published

Jun 19, 2025 - 01:15 nvd

MEDIUM 5.3

Description

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Analysis

Technical Context

An open redirect vulnerability allows attackers to redirect users from a trusted domain to an arbitrary external URL through manipulation of redirect parameters. This vulnerability is classified as URL Redirection to Untrusted Site (Open Redirect) (CWE-601).

Affected Products

Affected products: Python Urllib3

Remediation

A vendor patch is available — apply it immediately. Validate redirect URLs against a whitelist of allowed destinations. Use relative URLs for redirects. Warn users before redirecting to external sites.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +26

POC: +20

Vendor Status

Ubuntu

Priority: Medium

python-pip

Release	Status	Version
upstream	needs-triage	-
bionic	not-affected	9.0.1-2.3~ubuntu1.18.04.8+esm7
focal	not-affected	20.0.2-5ubuntu1.11+esm3
jammy	released	22.0.2+dfsg-1ubuntu0.6
noble	released	24.0+dfsg-1ubuntu1.2
oracular	released	24.2+dfsg-1ubuntu0.2
plucky	released	25.0+dfsg-1ubuntu0.1
trusty	not-affected	code not present
xenial	not-affected	8.1.1-2ubuntu0.6+esm11

python-urllib3

Release	Status	Version
bionic	released	1.22-1ubuntu0.18.04.2+esm3
focal	released	1.25.8-2ubuntu0.4+esm1
jammy	released	1.26.5-1~exp1ubuntu0.3
noble	released	2.0.7-1ubuntu0.2
oracular	released	2.0.7-2ubuntu0.2
plucky	released	2.3.0-2ubuntu0.1
trusty	not-affected	code not present
xenial	released	1.13.1-2ubuntu0.16.04.4+esm3
upstream	released	2.5.0

USN-7599-1 USN-7599-2

Debian

Bug #1108076

python-urllib3

Release	Status	Fixed Version	Urgency
bullseye	fixed	1.26.5-1~exp1+deb11u2	-
bullseye (security)	fixed	1.26.5-1~exp1+deb11u3	-
bookworm	fixed	1.26.12-1+deb12u2	-
bookworm (security)	fixed	1.26.12-1+deb12u3	-
trixie (security), trixie	fixed	2.3.0-3+deb13u1	-
forky, sid	fixed	2.6.3-1	-
(unstable)	fixed	2.3.0-3	-

DLA-4421-1

CVE-2025-50181 vulnerability details – vuln.today

Back

CVE-2025-50181

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-50181

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code