CVE-2025-50182
BaseFortify
Publication date: 2025-06-19
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | urllib3 | From 2.2.0 (inc) to 2.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-50182 is a vulnerability in the urllib3 Python library versions prior to 2.5.0 when used in Pyodide runtimes within browsers or Node.js. Normally, urllib3 allows control over HTTP redirects, but in these environments, the redirect controls (like retries and redirect parameters) are ignored because the runtime (browser or Node.js) manages redirects itself. This means that attempts to limit or disable redirects via urllib3 are ineffective, potentially exposing applications to Server-Side Request Forgery (SSRF) or open redirect attacks. The issue arises because browser APIs (Fetch API and XMLHttpRequest) do not provide mechanisms to control redirects properly. The vulnerability has been fixed in urllib3 version 2.5.0, which added redirect control support in Node.js but not in browsers. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing uncontrolled HTTP redirects when using urllib3 in Pyodide runtimes in browsers or Node.js. Because redirect controls are ignored, an attacker could exploit this to perform Server-Side Request Forgery (SSRF) or open redirect attacks, potentially exposing sensitive information or redirecting users to malicious sites. In Node.js environments, this risk is mitigated by upgrading to urllib3 2.5.0, which enforces redirect controls. However, in browser environments, no effective mitigation exists due to inherent API limitations, so applications relying on urllib3 for redirect control may remain vulnerable. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying usage of urllib3 versions prior to 2.5.0 in Pyodide runtimes within browsers or Node.js, especially where redirect control is expected but ineffective. In Node.js environments, you can test redirect behavior by making HTTP requests with urllib3 configured with retries=0 or redirect=False and observing if redirects are properly limited or followed. For example, in Node.js, run a Python script using urllib3 to request a URL known to redirect and check if a MaxRetryError is raised or if the redirect response is returned without following. There are no specific network commands provided to detect this vulnerability automatically. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade urllib3 to version 2.5.0 or later, which includes the fix for redirect control in Node.js environments. For browser environments using Pyodide, no effective mitigation exists due to inherent limitations in browser APIs controlling redirects; users should expect default browser redirect behavior. Therefore, in browsers, avoid relying on urllib3 redirect controls and consider alternative security measures to handle redirects safely. [1]