CVE-2025-50182 (Medium) detected in urllib3-2.3.0-py3-none-any.whl #1556
Description
CVE-2025-50182 - Medium Severity Vulnerability
Vulnerable Library - urllib3-2.3.0-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/c8/19/4ec628951a74043532ca2cf5d97b7b14863931476d117c471e8e2b1eb39f/urllib3-2.3.0-py3-none-any.whl
Path to dependency file: /scripts/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250222111149_EBAGHU/python_UOCJOB/202502221111511/env/lib/python3.9/site-packages/urllib3-2.3.0.dist-info
Dependency Hierarchy:
- requests-2.32.3-py3-none-any.whl (Root Library)
- ❌ urllib3-2.3.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: master-3.0
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50182
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution: urllib3 - 2.5.0