Skip to content

CVE-2025-50182 (Medium) detected in urllib3-1.26.20-py2.py3-none-any.whl, urllib3-1.26.19-py2.py3-none-any.whl #929

New issue
New issue
Open
Open
CVE-2025-50182 (Medium) detected in urllib3-1.26.20-py2.py3-none-any.whl, urllib3-1.26.19-py2.py3-none-any.whl#929
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 26, 2025

CVE-2025-50182 - Medium Severity Vulnerability

Vulnerable Libraries - urllib3-1.26.20-py2.py3-none-any.whl, urllib3-1.26.19-py2.py3-none-any.whl

urllib3-1.26.20-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/33/cf/8435d5a7159e2a9c83a95896ed596f68cf798005fe107cc655b5c5c14704/urllib3-1.26.20-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/opensearch-py

Path to vulnerable library: /tmp/ws-ua_20250828073401_LMQDHB/python_STBXPM/20250828073402/urllib3-1.26.20-py2.py3-none-any.whl

Dependency Hierarchy:

  • urllib3-1.26.20-py2.py3-none-any.whl (Vulnerable Library)
urllib3-1.26.19-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/ae/6a/99eaaeae8becaa17a29aeb334a18e5d582d873b6f084c11f02581b8d7f7f/urllib3-1.26.19-py2.py3-none-any.whl

Path to dependency file: /samples/.ws-temp-DZSFGI-requirements.txt

Path to vulnerable library: /tmp/containerbase/cache/.cache/pypoetry/virtualenvs/package-cbrn6T-w-py3.9/lib/python3.9/site-packages/urllib3-1.26.19.dist-info,/tmp/containerbase/cache/.cache/pypoetry/virtualenvs/opensearch-py-benchmarks-NjCgjYIu-py3.9/lib/python3.9/site-packages/urllib3-1.26.19.dist-info

Dependency Hierarchy:

  • boto3-1.34.160-py3-none-any.whl (Root Library)
    • botocore-1.34.160-py3-none-any.whl
      • urllib3-1.26.19-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: bf9add4eede4815f68ab99d7df8d0e2d3c6931bd

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Publish Date: 2025-06-19

URL: CVE-2025-50182

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-19

Fix Resolution (urllib3): 2.5.0

Direct dependency fix Resolution (boto3): 1.34.161

  • Check this box to open an automated fix PR

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions