CVE-2023-43804

`Cookie` HTTP header isn't stripped on cross-origin redirects

Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.57%
Vendor Advisory github.com
Affected: urllib3 urllib3
Published at:
Updated at:

References

Link Tags
https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f patch vendor advisory
https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb patch
https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d patch
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3PR7C6RJ6JUBQKIJ644DMIJSUP36VDY/ third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAGZXYJ7H2G3SB47M453VQVNAWKAEJJ/ third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/ third party advisory mailing list
https://security.netapp.com/advisory/ntap-20241213-0007/
https://www.vicarius.io/vsociety/posts/cve-2023-43804-urllib3-vulnerability-3

Frequently Asked Questions

What is the severity of CVE-2023-43804?
CVE-2023-43804 has been scored as a medium severity vulnerability.
How to fix CVE-2023-43804?
To fix CVE-2023-43804, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-43804 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-43804 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-43804?
CVE-2023-43804 affects urllib3 urllib3.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.