CVE-2025-50182

urllib3 does not control redirects in browsers and Node.js

Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: urllib3 urllib3
Published at:
Updated at:

References

Link Tags
https://github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f

Frequently Asked Questions

What is the severity of CVE-2025-50182?
CVE-2025-50182 has been scored as a medium severity vulnerability.
How to fix CVE-2025-50182?
To fix CVE-2025-50182, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-50182 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-50182 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-50182?
CVE-2025-50182 affects urllib3 urllib3.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.