PT-2025-26198 · Urllib3+6 · Urllib3+6

Sandumjacob

Published

2025-06-18

Updated

2026-06-03

CVE-2025-50181

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 2.5.0

Description The issue affects how urllib3 handles redirects and retries, controlled by the Retry object. Normally, redirects can be disabled at the request level or by instantiating a PoolManager with specific retries settings. However, due to this issue, the retries parameter is ignored, making it impossible to disable redirects as intended. This leaves applications attempting to mitigate Server-Side Request Forgery (SSRF) or open redirect vulnerabilities by disabling redirects at the PoolManager level still vulnerable.

Recommendations For versions prior to 2.5.0, upgrade to a patched version of urllib3. As a temporary workaround, consider disabling redirects at the request() level instead of the PoolManager() level.

Exploit

Fix

DoS

Protection Mechanism Failure

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-601

Related Identifiers

AZL-64170

AZL-64175

AZL-64218

AZL-64244

AZL-77823

BDU:2025-09791

CVE-2025-50181

DLA-4421-1

ECHO-25D6-11BF-B17D

GHSA-PQ67-6M6Q-MJ2V

MGASA-2025-0281

OESA-2025-1958

OESA-2025-2317

OPENSUSE-SU-2025:15283-1

OPENSUSE-SU-2025:15284-1

OPENSUSE-SU-2026:10539-1

SUSE-SU-2025:02735-1

SUSE-SU-2025:02736-1

SUSE-SU-2025:02985-1

SUSE-SU-2025:20558-1

SUSE-SU-2025:20856-1

SUSE-SU-2025_02735-1

SUSE-SU-2025_02736-1

SUSE-SU-2025_02985-1

USN-7599-1

USN-7599-2

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Suse

Ubuntu

Urllib3

PT-2025-26198 · Urllib3+6 · Urllib3+6

CVE-2025-50181

Weakness Enumeration

Related Identifiers

Affected Products

References · 76