CVE-2025-50182 - Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

urllib3

affected

Version	Status	Constraints
`>= 2.2.0, < 2.5.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Urllib3 Subscribe	Urllib3 Subscribe

Project Subscriptions

Vendors	Products
Python Subscribe	Urllib3 Subscribe
Urllib3 Subscribe	Urllib3 Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2025-18677	urllib3 does not control redirects in browsers and Node.js
Github GHSA	GHSA-48p4-8xcf-vxj5	urllib3 does not control redirects in browsers and Node.js
Ubuntu USN	USN-7599-1	urllib3 vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f
https://github.com/urllib3/urllib3/releases/tag/2.5.0
https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
https://nvd.nist.gov/vuln/detail/CVE-2025-50182
https://www.cve.org/CVERecord?id=CVE-2025-50182

History

Mon, 22 Dec 2025 18:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/urllib3/urllib3/releases/tag/2.5.0

Mon, 22 Dec 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python urllib3
CPEs		cpe:2.3:a:python:urllib3::::::::
Vendors & Products		Python Python urllib3

Mon, 30 Jun 2025 19:15:00 +0000

Type	Values Removed	Values Added
Description	urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.	urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Mon, 23 Jun 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Jun 2025 03:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-50182 https://www.cve.org/CVERecord?id=CVE-2025-50182
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 19 Jun 2025 02:00:00 +0000

Type	Values Removed	Values Added
Description		urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Title		urllib3 does not control redirects in browsers and Node.js
Weaknesses		CWE-601
References		https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-06-19T01:42:44.921Z

Updated: 2025-12-22T18:43:46.779Z

Reserved: 2025-06-13T19:17:51.726Z

Link: CVE-2025-50182

Vulnrichment

Updated: 2025-06-23T16:56:08.872Z

NVD

Status : Modified

Published: 2025-06-19T02:15:17.967

Modified: 2025-12-22T19:15:49.177

Link: CVE-2025-50182

Redhat

Severity : Moderate

Publid Date: 2025-06-19T01:42:44Z

Links: CVE-2025-50182 - Bugzilla

OpenCVE Enrichment

Updated: 2025-06-20T13:24:21Z

Weaknesses

CWE-601

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object