CVE-2025-50182: urllib3 does not control redirects in browsers and Node.js

June 18, 2025 (updated June 30, 2025)

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

References

github.com/advisories/GHSA-48p4-8xcf-vxj5
github.com/urllib3/urllib3
github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f
github.com/urllib3/urllib3/security/advisories/GHSA-48p4-8xcf-vxj5
nvd.nist.gov/vuln/detail/CVE-2025-50182

Code Behaviors & Features

Detect and mitigate CVE-2025-50182 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →