CVE-2023-43804 Overview
CVE-2023-43804 is an information disclosure vulnerability in urllib3, a widely-used HTTP client library for Python. The vulnerability occurs because urllib3 doesn't treat the Cookie HTTP header specially when handling HTTP redirects. When a user specifies a Cookie header and the server redirects to a different origin, the cookie information is leaked to the redirect target unless the user has explicitly disabled redirects.
Critical Impact
Applications using urllib3 with custom Cookie headers may unknowingly leak sensitive authentication cookies to third-party domains during cross-origin redirects, potentially leading to session hijacking or unauthorized access.
Affected Products
- Python urllib3 versions prior to 1.26.17
- Python urllib3 versions 2.x prior to 2.0.5
- Debian Linux 10.0
- Fedora 37, 38, and 39
Discovery Timeline
- 2023-10-02 - Security patches released in urllib3 versions 1.26.17 and 2.0.6
- 2023-10-04 - CVE CVE-2023-43804 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2023-43804
Vulnerability Analysis
This vulnerability exists in urllib3's redirect handling mechanism. The library provides a retry/redirect system that automatically follows HTTP redirects (3xx responses). However, prior to the patch, the Cookie header was not included in the list of headers that should be stripped when redirecting to a different host.
The urllib3 library already had a mechanism (Retry.remove_headers_on_redirect) to strip sensitive headers like Authorization when following redirects to different origins. This is a crucial security measure to prevent credential leakage. However, the Cookie header was overlooked in this protection, creating a scenario where session cookies and other sensitive cookie data could be transmitted to unintended third-party servers.
Root Cause
The root cause is an incomplete implementation of the sensitive header stripping mechanism in urllib3's retry module. The DEFAULT_REMOVE_HEADERS_ON_REDIRECT frozenset only included Authorization but not Cookie, despite both headers carrying equally sensitive authentication information.
From the patch, we can see the fix clearly:
# Before the fix
DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
# After the fix
DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
Source: GitHub Commit
Attack Vector
The attack vector is network-based and requires a malicious or compromised server to redirect HTTP requests to an attacker-controlled domain. The attack scenario works as follows:
- A victim's application uses urllib3 to make HTTP requests with a custom Cookie header containing session tokens or authentication data
- The legitimate server (or a man-in-the-middle attacker) issues an HTTP redirect to a different domain
- urllib3 follows the redirect and sends the original Cookie header to the new domain
- The attacker's server captures the leaked cookie data
# Changes documenting the fix
+1.26.17 (2023-10-02)
+--------------------
+
+* Added the ``Cookie`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``.
Source: GitHub Commit
Detection Methods for CVE-2023-43804
Indicators of Compromise
- Unexpected HTTP requests from your application to third-party domains containing your session cookies
- Log entries showing requests to unfamiliar domains following legitimate API calls
- Authentication tokens appearing in logs or traffic captures for domains outside your trusted infrastructure
Detection Strategies
- Audit application dependencies using pip list or pip show urllib3 to identify vulnerable versions (< 1.26.17 for 1.x branch, < 2.0.5 for 2.x branch)
- Implement network monitoring to detect cookie headers being sent to unexpected domains during redirect chains
- Use software composition analysis (SCA) tools to scan for vulnerable urllib3 versions across your codebase
Monitoring Recommendations
- Enable detailed HTTP logging in applications to capture redirect behavior and header transmission
- Monitor for unusual authentication failures that could indicate leaked session cookies being replayed
- Implement network-level inspection to identify cookie headers crossing trust boundaries during redirects
How to Mitigate CVE-2023-43804
Immediate Actions Required
- Upgrade urllib3 to version 1.26.17 or later for the 1.x branch
- Upgrade urllib3 to version 2.0.5 or later for the 2.x branch
- Review applications for manual Cookie header usage with urllib3 and assess potential exposure
- Consider disabling automatic redirects (redirect=False) for sensitive requests until patching is complete
Patch Information
Security patches are available from the urllib3 project. The fix adds the Cookie header to the DEFAULT_REMOVE_HEADERS_ON_REDIRECT frozenset, ensuring cookies are stripped when following redirects to different hosts. Patches are available through standard package managers:
Workarounds
- Explicitly disable redirects when making requests with cookies: urllib3.request("GET", url, redirect=False)
- Manually specify headers to remove on redirect using Retry.remove_headers_on_redirect to include Cookie
- Implement application-level redirect handling that strips sensitive headers before following cross-origin redirects
# Upgrade urllib3 to patched version
pip install --upgrade "urllib3>=1.26.17"
# For urllib3 2.x users
pip install --upgrade "urllib3>=2.0.5"
# Verify installed version
pip show urllib3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
