CVE-2025-50182

| EUVD-2025-18677 MEDIUM
2025-06-19 [email protected] GHSA-48p4-8xcf-vxj5
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18677
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
Patch Released
Mar 15, 2026 - 00:08 nvd
Patch available
CVE Published
Jun 19, 2025 - 02:15 nvd
MEDIUM 5.3

Tags

Python Node.js Open Redirect Ubuntu Debian Urllib3 Redhat Suse

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Analysis

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Technical Context

An open redirect vulnerability allows attackers to redirect users from a trusted domain to an arbitrary external URL through manipulation of redirect parameters. This vulnerability is classified as URL Redirection to Untrusted Site (Open Redirect) (CWE-601).

Affected Products

Affected products: Python Urllib3

Remediation

A vendor patch is available — apply it immediately. Validate redirect URLs against a whitelist of allowed destinations. Use relative URLs for redirects. Warn users before redirecting to external sites.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Vendor Status

Ubuntu

Priority: Medium
python-pip
Release Status Version
upstream needs-triage -
plucky not-affected code not present
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
trusty not-affected code not present
xenial not-affected code not present
python-urllib3
Release Status Version
plucky released 2.3.0-2ubuntu0.1
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
trusty not-affected code not present
upstream released 2.5.0
xenial not-affected code not present
USN-7599-1

Debian

Bug #1108077
python-urllib3
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1.26.5-1~exp1+deb11u3 -
bookworm not-affected - -
bookworm (security) fixed 1.26.12-1+deb12u3 -
trixie (security), trixie fixed 2.3.0-3+deb13u1 -
forky, sid fixed 2.6.3-1 -
(unstable) fixed 2.3.0-3 -

Share

CVE-2025-50182 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy