CVE-2025-50181
SSRF vulnerability in urllib3
What is CVE-2025-50181 About?
This vulnerability in urllib3 prevents the proper disabling of redirects at the `PoolManager` level, leaving applications vulnerable to Server-Side Request Forgery (SSRF) and open redirect attacks. An application attempting to mitigate these vulnerabilities by configuring `PoolManager` with `retries` set to disable redirects will remain exposed. Exploitation is relatively straightforward for an attacker who can control the target URL, as the intended security measure is bypassed.
Affected Software
Technical Details
The vulnerability lies in `urllib3`'s handling of the `retries` parameter when provided during `PoolManager` instantiation, specifically when attempting to disable redirects. `urllib3` uses the same mechanism for redirects and retries, controlled by the `Retry` object. While redirects can be disabled at the request level (e.g., `urllib3.request(..., redirect=False)`), setting `retries=0`, `retries=urllib3.Retry(redirect=0)`, or `retries=False` during `PoolManager` initialization is intended to disable redirects globally for that manager. However, the `retries` parameter is currently ignored in this context. Consequently, an application configured to disable redirects via `PoolManager` instantiation to prevent SSRF or open redirect vulnerabilities will still follow redirects, allowing an attacker to leverage controlled URLs to bypass initial request targets and potentially access internal resources or redirect to arbitrary external sites.
What is the Impact of CVE-2025-50181?
Successful exploitation may allow attackers to bypass intended security controls, leading to Server-Side Request Forgery (SSRF) or open redirect attacks, potentially enabling unauthorized access to internal resources or phishing.
What is the Exploitability of CVE-2025-50181?
Exploitation involves an attacker providing a URL that the vulnerable application processes via a `PoolManager` configured to disable redirects, which still follows them. The complexity is low, as it leverages a bypass of an intended security control rather than a complex injection. There are no authentication or privilege requirements to trigger the redirect. The attack is remote, as the attacker provides the malicious URL. The primary prerequisite is that the application uses `urllib3` and attempts to mitigate SSRF or open redirects by configuring `PoolManager` with `retries` to disable redirects instead of handling it at the individual request level. Risk factors are high for applications that use `urllib3` to fetch URLs passed from untrusted sources and rely on the global `PoolManager` redirect disabling for security.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-50181?
Available Upgrade Options
- urllib3
- <2.5.0 → Upgrade to 2.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pq67-6m6q-mj2v
- https://nvd.nist.gov/vuln/detail/CVE-2025-50181
- https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
- https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
- https://github.com/urllib3/urllib3/security/advisories/GHSA-pq67-6m6q-mj2v
- https://github.com/urllib3/urllib3
- https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
What are Similar Vulnerabilities to CVE-2025-50181?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-41903 , CVE-2021-33198 , CVE-2020-13982 , CVE-2019-9169
