CVE-2025-50182

Name of the Vulnerable Software and Affected Versions urllib3 versions prior to 2.5.0

Description The issue concerns urllib3, a Python HTTP client library, which does not control redirects in browsers and Node.js prior to version 2.5.0. This library supports being used in a Pyodide runtime, utilizing the JavaScript Fetch API or falling back on XMLHttpRequest, allowing Python libraries to make HTTP requests from a browser or Node.js. However, the retries and redirect parameters are ignored with Pyodide, as the runtime itself determines redirect behavior. Redirects can be used to exploit SSRF vulnerabilities, and applications attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Recommendations For versions prior to 2.5.0, upgrade to a patched version of urllib3. As a temporary workaround, consider restricting the use of urllib3 in Pyodide runtime to minimize the risk of exploitation. Avoid relying on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime until the issue is resolved.