Fluid Attacks Database

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python-urllib3	>=0 <2.3.0-3	2.3.0-3
debian 13	python-urllib3	>=0 <2.3.0-3	2.3.0-3
pypi	urllib3	>=2.2.0 <2.5.0	2.5.0
rpm rhel9	bootc-image-builder	-	-
rpm rhel8	python3.11-pip	-	-
rpm rhel7	python-pip	-	-
rpm rhel7	python-s3transfer	-	-
rpm rhel8	fence-agents	-	-
rpm rhel10	python-pip	-	-
rpm rhel9	fence-agents	-	-

1-10 of 17

Aliases

1. CVE-2025-501822. NVD-2025-501823. OSV-DEBIAN-2025-501824. OSV-2025-501825. GHSA-48p4-8xcf-vxj56. GCVE-2025-501827. SECURITY-TRACKER-CVE-2025-50182

References

1. https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj52. https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f3. https://github.com/urllib3/urllib3/releases/tag/2.5.0