CVE-2025-50181
SSRF vulnerability in urllib3 (PyPI)

SSRF No known exploit Fixable By Resolved Security

What is CVE-2025-50181 About?

This vulnerability in urllib3 prevents the proper disabling of redirects at the `PoolManager` level, leaving applications vulnerable to Server-Side Request Forgery (SSRF) and open redirect attacks. An application attempting to mitigate these vulnerabilities by configuring `PoolManager` with `retries` set to disable redirects will remain exposed. Exploitation is relatively straightforward for an attacker who can control the target URL, as the intended security measure is bypassed.

Affected Software

urllib3 <2.5.0

Technical Details

The vulnerability lies in urllib3's handling of the retries parameter when provided during PoolManager instantiation, specifically when attempting to disable redirects. urllib3 uses the same mechanism for redirects and retries, controlled by the Retry object. While redirects can be disabled at the request level (e.g., urllib3.request(..., redirect=False)), setting retries=0, retries=urllib3.Retry(redirect=0), or retries=False during PoolManager initialization is intended to disable redirects globally for that manager. However, the retries parameter is currently ignored in this context. Consequently, an application configured to disable redirects via PoolManager instantiation to prevent SSRF or open redirect vulnerabilities will still follow redirects, allowing an attacker to leverage controlled URLs to bypass initial request targets and potentially access internal resources or redirect to arbitrary external sites.

What is the Impact of CVE-2025-50181?

Successful exploitation may allow attackers to bypass intended security controls, leading to Server-Side Request Forgery (SSRF) or open redirect attacks, potentially enabling unauthorized access to internal resources or phishing.

What is the Exploitability of CVE-2025-50181?

Exploitation involves an attacker providing a URL that the vulnerable application processes via a PoolManager configured to disable redirects, which still follows them. The complexity is low, as it leverages a bypass of an intended security control rather than a complex injection. There are no authentication or privilege requirements to trigger the redirect. The attack is remote, as the attacker provides the malicious URL. The primary prerequisite is that the application uses urllib3 and attempts to mitigate SSRF or open redirects by configuring PoolManager with retries to disable redirects instead of handling it at the individual request level. Risk factors are high for applications that use urllib3 to fetch URLs passed from untrusted sources and rely on the global PoolManager redirect disabling for security.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-50181?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

This patch ensures that when a PoolManager is created with a "retries" argument, it properly interprets and handles the value, converting it into a Retry object and correctly configuring the raise_on_redirect behavior. By correctly enforcing retry and redirect policies, it fixes CVE-2025-50181, which allowed an attacker to bypass redirect limits or policies by passing integer or boolean values that were not correctly translated into safe retry logic, potentially leading to unexpected redirects or denial of service.

Available Upgrade Options

  • urllib3
    • <2.5.0 → Upgrade to 2.5.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-50181?

Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-41903 , CVE-2021-33198 , CVE-2020-13982 , CVE-2019-9169

All Rights reserved 2025
Privacy Policy