Primary

Context

urllib3 Cross-Origin Redirects Vulnerability in ProxyManager Low-Level API

Vulnerability

Patched

A vulnerability in urllib3, an HTTP client library for Python, allows sensitive headers to be forwarded across origins during cross-origin redirects. This issue affects urllib3 versions 1.23 through prior to 2.7.0, specifically when using the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False). In this scenario, headers such as Authorization, Cookie, and Proxy-Authorization are not stripped as they should be, potentially exposing sensitive information.

Impact

The vulnerability could lead to the unintentional exposure of sensitive headers, including Authorization, Cookie, and Proxy-Authorization, across different origins during cross-origin redirects.

Remediation

Users can upgrade to urllib3 version 2.7.0 or later, where this vulnerability is fixed. If an immediate upgrade is not possible, it is recommended to avoid using the low-level redirect flow for cross-origin redirects and, if appropriate, switch to using ProxyManager.request()

Added: May 13, 2026, 5:23 PM

Updated: May 13, 2026, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

8.3

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

8.3

relevance

8.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

urllib3 Cross-Origin Redirects Vulnerability in ProxyManager Low-Level API

Vulnerability

Impact

Remediation

Affected Products

urllib3

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating