CVE-2025-50182

CVE-2025-50182

Name

CVE-2025-50182

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f
CONFIRM	https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
security-advisories@github.com	https://github.com/urllib3/urllib3/releases/tag/2.5.0

Type

URI

MISC

https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f

CONFIRM

https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5

security-advisories@github.com

https://github.com/urllib3/urllib3/releases/tag/2.5.0

CPE URI	Source package	Min version	Max version
	py3-urllib3	>= 0	< 2.5.0
`cpe:2.3:a:python:urllib3::::::::`	py3-urllib3	>= 2.2.0	< 2.5.0

CPE URI

Source package

Min version

Max version

py3-urllib3

>= 0

< 2.5.0

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

py3-urllib3

>= 2.2.0

< 2.5.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py3-urllib3	edge-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.18-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.17-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	edge-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	edge-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.26.20-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.22-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.22-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.22-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.20-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.21-main	1.26.20-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.21-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.21-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r2	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.20-main	1.26.18-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.20-main	1.25.9-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.26.18-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
py3-urllib3	3.19-main	1.26.17-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.26.4-r0	None	possibly vulnerable
py3-urllib3	3.19-main	1.25.9-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages