CVE-2023-43804
Information Leak vulnerability in urllib3 (PyPI)

Information Leak No known exploit Fixable By Resolved Security

What is CVE-2023-43804 About?

This vulnerability in urllib3 can lead to an information leak when specific conditions are met, primarily involving HTTP redirects. It arises when the `Cookie` header is used and automatic redirects are not disabled, causing sensitive cookie data to be sent to unintended origins. Exploitation is moderately complex as it requires a specific combination of factors and often relies on an attacker's ability to control redirect destinations.

Affected Software

  • urllib3
    • <1.26.17
    • <644124ecd0b6e417c527191f866daa05a5a2056d
    • >2.0.0, <2.0.6

Technical Details

The vulnerability in urllib3 (patched in v1.26.17 and v2.0.6) allows for an information leak due to how HTTP redirects are handled when a Cookie header is manually specified in a request. urllib3 does not inherently manage cookies or treat the Cookie header specially; it's the user's responsibility. However, if a user includes a Cookie header and does not explicitly disable automatic redirects (e.g., redirects=False), urllib3 will follow HTTP 3xx redirect responses. If a redirection leads to a different origin (e.g., a malicious server controlled by an attacker), the Cookie header, containing sensitive information, will be sent to this unintended destination. This cross-origin information leak is particularly risky if the initial request is over HTTP or if the origin server redirects to an attacker-controlled HTTPS endpoint.

What is the Impact of CVE-2023-43804?

Successful exploitation may allow attackers to obtain sensitive information, such as session tokens or user authentication data, from the `Cookie` header, potentially leading to session hijacking or unauthorized access.

What is the Exploitability of CVE-2023-43804?

Exploitation requires a specific set of conditions to be met, making its complexity moderate. Prerequisites include using an affected urllib3 version, explicitly setting the Cookie header in requests, and not disabling HTTP redirects. No particular authentication or privilege level is inherent to the vulnerability itself, but the cookies being leaked might be authentication tokens. Access is remote. The likelihood of exploitation increases if an application frequently uses manual Cookie headers, relies on urllib3's automatic redirects, and interacts with third-party services that could issue malicious redirects, especially over non-HTTPS connections or if the redirect goes to a malicious HTTPS endpoint.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-43804?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch expands the default set of sensitive headers (remove_headers_on_redirect) to include "Cookie" alongside "Authorization," ensuring that cookies are stripped on HTTP redirects by default. This prevents an attacker from exploiting CVE-2023-43804, where cookies could be inadvertently sent to untrusted or cross-origin hosts during redirects, risking credential or session hijacking.

Available Upgrade Options

  • urllib3
    • >2.0.0, <2.0.6 → Upgrade to 2.0.6
  • urllib3
    • <644124ecd0b6e417c527191f866daa05a5a2056d → Upgrade to 644124ecd0b6e417c527191f866daa05a5a2056d
  • urllib3
    • <1.26.17 → Upgrade to 1.26.17

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-43804?

Similar Vulnerabilities: CVE-2023-32731 , CVE-2022-3105 , CVE-2021-23343 , CVE-2020-11008 , CVE-2018-7489

All Rights reserved 2025
Privacy Policy