CVE-2025-50181
SSRF vulnerability in urllib3 (PyPI)
What is CVE-2025-50181 About?
This vulnerability in urllib3 prevents the proper disabling of redirects at the `PoolManager` level, leaving applications vulnerable to Server-Side Request Forgery (SSRF) and open redirect attacks. An application attempting to mitigate these vulnerabilities by configuring `PoolManager` with `retries` set to disable redirects will remain exposed. Exploitation is relatively straightforward for an attacker who can control the target URL, as the intended security measure is bypassed.
Affected Software
Technical Details
The vulnerability lies in urllib3's handling of the retries parameter when provided during PoolManager instantiation, specifically when attempting to disable redirects. urllib3 uses the same mechanism for redirects and retries, controlled by the Retry object. While redirects can be disabled at the request level (e.g., urllib3.request(..., redirect=False)), setting retries=0, retries=urllib3.Retry(redirect=0), or retries=False during PoolManager initialization is intended to disable redirects globally for that manager. However, the retries parameter is currently ignored in this context. Consequently, an application configured to disable redirects via PoolManager instantiation to prevent SSRF or open redirect vulnerabilities will still follow redirects, allowing an attacker to leverage controlled URLs to bypass initial request targets and potentially access internal resources or redirect to arbitrary external sites.
What is the Impact of CVE-2025-50181?
Successful exploitation may allow attackers to bypass intended security controls, leading to Server-Side Request Forgery (SSRF) or open redirect attacks, potentially enabling unauthorized access to internal resources or phishing.
What is the Exploitability of CVE-2025-50181?
Exploitation involves an attacker providing a URL that the vulnerable application processes via a PoolManager configured to disable redirects, which still follows them. The complexity is low, as it leverages a bypass of an intended security control rather than a complex injection. There are no authentication or privilege requirements to trigger the redirect. The attack is remote, as the attacker provides the malicious URL. The primary prerequisite is that the application uses urllib3 and attempts to mitigate SSRF or open redirects by configuring PoolManager with retries to disable redirects instead of handling it at the individual request level. Risk factors are high for applications that use urllib3 to fetch URLs passed from untrusted sources and rely on the global PoolManager redirect disabling for security.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-50181?
About the Fix from Resolved Security
Available Upgrade Options
- urllib3
- <2.5.0 → Upgrade to 2.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pq67-6m6q-mj2v
- https://nvd.nist.gov/vuln/detail/CVE-2025-50181
- https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
- https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
- https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
- https://github.com/urllib3/urllib3
- https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
What are Similar Vulnerabilities to CVE-2025-50181?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-41903 , CVE-2021-33198 , CVE-2020-13982 , CVE-2019-9169
