7 matches found
CVE-2020-26137
CVE-2020-26137 pertains to Python’s urllib3 and is explicitly described as a CRLF injection vulnerability in the HTTP request handling of urllib3/http.client. The connected advisories show affected package and version details: python-urllib3 1.24.2-2 (CBLMariner entry) and a recommended upgrade t...
CVE-2019-11236
The CVE-2019-11236 entry affects Python’s urllib3 up to version 1.24.1, where an attacker controlling a request parameter can trigger CRLF injection. Multiple connected advisories corroborate this issue and cite potential header/credential exposure risks in cross-origin redirects or crafted reque...
CVE-2024-37891
CVE-2024-37891 affects urllib3 (Python HTTP client) across multiple distributions (e.g., python3-urllib3, python3.13-pip, python-pip, etc.). The issue: when not using urllib3’s ProxyManager proxy support, a configured Proxy-Authorization header could be sent, and urllib3 may not strip it on cross...
CVE-2018-25091
CVE-2018-25091 affects the urllib3 library (before 1.24.2). When following cross-origin redirects, urllib3 may not remove the Authorization header, allowing credentials to be exposed to unintended hosts or transmitted in cleartext. This is noted as a follow-on from an incomplete fix for CVE-2018-...
CVE-2025-50181
CVE-2025-50181 affects python-urllib3 and was fixed in urllib3 2.5.0. Several connected advisories confirm vulnerable versions are older releases (e.g., python-urllib3
CVE-2021-28363
CVE-2021-28363 affects urllib3 for Python: versions 1.26.x before 1.26.4 omit SSL certificate validation when connecting HTTPS to HTTPS proxies, potentially enabling MITM via proxy hostname mismatch. Impact is partial confidentiality. Remediation: upgrade urllib3 to 1.26.4 or later (patched versi...
CVE-2025-50182
CVE-2025-50182 : Affects urllib3 (Python HTTP client). The issue is that prior to 2.5.0, when urllib3 is used in environments like Pyodide (Python in a browser/Node via Fetch/XMLHttpRequest), redirects are not controlled; Pyodide determines redirect behavior, and retries/redirect params are ignor...