Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-48p4-8xcf-vxj5

Опубликовано: 18 июн. 2025
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

urllib3 does not control redirects in browsers and Node.js

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

Affected usages

Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Remediation

If you use urllib3 in Node.js, upgrade to a patched version of urllib3.

Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

Пакеты

Наименование

urllib3

pip
Затронутые версииВерсия исправления

>= 2.2.0, < 2.5.0

2.5.0

EPSS

Процентиль: 1%
0.00011
Низкий

5.3 Medium

CVSS3

Дефекты

CWE-601

Связанные уязвимости

CVSS3: 5.3
ubuntu
около 2 месяцев назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

CVSS3: 5.3
redhat
около 2 месяцев назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

CVSS3: 5.3
nvd
около 2 месяцев назад

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

CVSS3: 5.3
debian
около 2 месяцев назад

urllib3 is a user-friendly HTTP client library for Python. Starting in ...

EPSS

Процентиль: 1%
0.00011
Низкий

5.3 Medium

CVSS3

Дефекты

CWE-601