19 matches found
CVE-2018-20060
CVE-2018-20060 affects urllib3/python-urllib3 prior to 1.23, where the Authorization header is not removed on cross-origin redirects. This can allow credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. Public sources in the Connected documents ind...
CVE-2023-43804
CVE-2023-43804 affects the Python urllib3 library, where a Cookie header may be leaked across cross-origin redirects if redirects are not disabled. The issue is resolved in urllib3 1.26.17 or 2.0.5. Affected environments are confirmed in multiple reports, including AlmaLinux and Brocade advisorie...
CVE-2021-33503
CVE-2021-33503 affects urllib3 prior to 1.26.5, where the authority component regex can catastrophically backtrack on URLs containing many @ characters, leading to denial of service via parameters or redirects. Several connected sources note a patched version is available (e.g., python-urllib3 up...
CVE-2020-26137
CVE-2020-26137 pertains to Python’s urllib3 and is explicitly described as a CRLF injection vulnerability in the HTTP request handling of urllib3/http.client. The connected advisories show affected package and version details: python-urllib3 1.24.2-2 (CBLMariner entry) and a recommended upgrade t...
CVE-2019-11324
The issue CVE-2019-11324 affects the Python urllib3 library prior to 1.24.2, where SSL verification can be bypassed when the SSLContext, ca_certs, or ca_certs_dir arguments differ from the OS CA store, causing TLS handshakes to succeed when they should fail. This is related to how system vs manua...
CVE-2023-45803
CVE-2023-45803 affects the Python urllib3 library. The issue arises when handling HTTP redirects (301/302/303) after a request’s method changes from something that can carry a body (e.g., POST) to GET, where urllib3 previously did not remove the HTTP request body. This could allow leakage of sens...
CVE-2019-11236
The CVE-2019-11236 entry affects Python’s urllib3 up to version 1.24.1, where an attacker controlling a request parameter can trigger CRLF injection. Multiple connected advisories corroborate this issue and cite potential header/credential exposure risks in cross-origin redirects or crafted reque...
CVE-2024-37891
CVE-2024-37891 affects urllib3 (Python HTTP client) across multiple distributions (e.g., python3-urllib3, python3.13-pip, python-pip, etc.). The issue: when not using urllib3’s ProxyManager proxy support, a configured Proxy-Authorization header could be sent, and urllib3 may not strip it on cross...
CVE-2018-25091
CVE-2018-25091 affects the urllib3 library (before 1.24.2). When following cross-origin redirects, urllib3 may not remove the Authorization header, allowing credentials to be exposed to unintended hosts or transmitted in cleartext. This is noted as a follow-on from an incomplete fix for CVE-2018-...
CVE-2021-28363
CVE-2021-28363 affects urllib3 for Python: versions 1.26.x before 1.26.4 omit SSL certificate validation when connecting HTTPS to HTTPS proxies, potentially enabling MITM via proxy hostname mismatch. Impact is partial confidentiality. Remediation: upgrade urllib3 to 1.26.4 or later (patched versi...
CVE-2025-50181
CVE-2025-50181 affects python-urllib3 and was fixed in urllib3 2.5.0. Several connected advisories confirm vulnerable versions are older releases (e.g., python-urllib3
CVE-2020-7212
CVE-2020-7212 concerns urllib3 for Python (versions 1.25.2–1.25.7) with a Denial of Service risk caused by the _encode_invalid_chars implementation in util/url.py. The issue arises from an inefficient algorithm where the percent_encodings collection can grow O(N) for a URL of length N, and the su...
CVE-2025-50182
CVE-2025-50182 : Affects urllib3 (Python HTTP client). The issue is that prior to 2.5.0, when urllib3 is used in environments like Pyodide (Python in a browser/Node via Fetch/XMLHttpRequest), redirects are not controlled; Pyodide determines redirect behavior, and retries/redirect params are ignor...
CVE-2016-9015
CVE-2016-9015 affects Python urllib3 versions 1.17 and 1.18 when using PyOpenSSL with OpenSSL 1.1.0; in such configurations TLS certificate validation can be bypassed, enabling MITM and information leakage. The issue is considered low impact due to the very specific configuration. remediation fro...
CVE-2026-21441
CVE-2026-21441 (urllib3) : The issue occurs in urllib3’s streaming API where, for HTTP redirect responses, the client decompresses the entire response body even before any reads are issued, enabling potential resource exhaustion (CPU/memory) via decompression bombs. Affected versions are prior to...
CVE-2025-66471
CVE-2025-66471 affects urllib3’s streaming API handling of compressed HTTP responses in Python. The issue arises when streaming a highly compressed payload, where decompression could process data in a way that uses excessive CPU and memory, potentially from the decompression buffer behavior noted...
CVE-2026-44432
CVE-2026-44432 affects urllib3 before 2.7.0, where the library could decompress the entire response during HTTPResponse.read or drain_conn, leading to high CPU and memory usage when handling highly compressed data. Affected versions: 2.6.0 up to (but not including) 2.7.0. Impact described as pote...
CVE-2026-44431
CVE-2026-44431 affects urllib3 (Python HTTP client). From versions 1.23 up to, but not including, 2.7.0, cross-origin redirects followed by the low‑level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward sensitive headers. This constitutes a leakage of ...
CVE-2025-66418
The connected advisories confirm CVE-2025-66418 affects urllib3 (Python) via an unbounded decompression chain in versions 1.24 up to before 2.6.0, enabling high CPU and memory usage; remediation is to upgrade to 2.6.0 or later. Additional advisories note related issues: CVE-2025-66471 (Streaming ...