GHSA-48p4-8xcf-vxj5

Suggest an improvement
Source
https://github.com/advisories/GHSA-48p4-8xcf-vxj5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-48p4-8xcf-vxj5/GHSA-48p4-8xcf-vxj5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-48p4-8xcf-vxj5
Aliases
Related
Published
2025-06-18T17:50:11Z
Modified
2025-06-19T16:04:50.248905Z
Downstream
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
urllib3 does not control redirects in browsers and Node.js
Details

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

Affected usages

Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Remediation

If you use urllib3 in Node.js, upgrade to a patched version of urllib3.

Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

Database specific 
{
    "nvd_published_at": "2025-06-19T02:15:17Z",
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-18T17:50:11Z"
}
References

Affected packages

PyPI / urllib3

Package

Name
urllib3
View open source insights on deps.dev
Purl
pkg:pypi/urllib3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.0

Affected versions

0.*

0.2
0.3
0.3.1
0.4.0
0.4.1

1.*

1.0
1.0.1
1.0.2
1.1
1.2
1.2.1
1.2.2
1.3
1.4
1.5
1.6
1.7
1.7.1
1.8
1.8.2
1.8.3
1.9
1.9.1
1.10
1.10.1
1.10.2
1.10.3
1.10.4
1.11
1.12
1.13
1.13.1
1.14
1.15
1.15.1
1.16
1.17
1.18
1.18.1
1.19
1.19.1
1.20
1.21
1.21.1
1.22
1.23
1.24
1.24.1
1.24.2
1.24.3
1.25
1.25.1
1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.25.7
1.25.8
1.25.9
1.25.10
1.25.11
1.26.0
1.26.1
1.26.2
1.26.3
1.26.4
1.26.5
1.26.6
1.26.7
1.26.8
1.26.9
1.26.10
1.26.11
1.26.12
1.26.13
1.26.14
1.26.15
1.26.16
1.26.17
1.26.18
1.26.19
1.26.20

2.*

2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.4.0