CVE-2025-50181: 
Python vulnerability analysis and mitigation

urllib3, a user-friendly HTTP client library for Python, was found to contain a security vulnerability (CVE-2025-50181) affecting versions prior to 2.5.0. The vulnerability was discovered by Jacob Sandum and disclosed on June 18, 2025. The issue occurs when attempting to disable redirects at the PoolManager level, where the retries parameter is ignored, causing redirects to remain enabled even when explicitly configured to be disabled (GitHub Advisory, NVD).

The vulnerability stems from urllib3's mechanism of handling redirects and retries using the same Retry object. When attempting to disable redirects by instantiating a PoolManager with specific retries parameters (such as retries=0, retries=urllib3.Retry(redirect=0), or retries=False), the retries parameter is ignored, causing redirects to remain enabled. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The primary impact of this vulnerability is that applications attempting to mitigate SSRF (Server-Side Request Forgery) or open redirect vulnerabilities by disabling redirects at the PoolManager level remain vulnerable. This could potentially allow attackers to exploit SSRF vulnerabilities through redirects that were intended to be disabled. However, by default, users of requests and botocore libraries are not affected (GitHub Advisory, Wiz).

The vulnerability has been patched in urllib3 version 2.5.0. Users are advised to either upgrade to the patched version or implement a workaround by disabling redirects at the request() level instead of the PoolManager() level. Organizations requiring continued support for urllib3 1.x are encouraged to contact the maintainers to discuss sponsorship or contribution opportunities (GitHub Advisory, Ubuntu Security Notice).