SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-37891

CVE-2024-37891: urllib3 Information Disclosure Flaw

CVE-2024-37891 is an information disclosure vulnerability in urllib3 for Python that may expose Proxy-Authorization headers during cross-origin redirects. This article covers the technical details, risk factors, and patches.

Updated:

CVE-2024-37891 Overview

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy. However, certain configurations can lead to the accidental inclusion of the Proxy-Authorization header in non-proxyed requests, which isn't stripped during cross-origin redirects. Though a rare occurrence, it presents a minor security risk where authentication materials could be inadvertently exposed.

Critical Impact

Low likelihood but potential disclosure of authentication credentials through cross-origin redirects.

Affected Products

  • Not Available
  • Not Available
  • Not Available

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Not Available
  • Not Available - CVE CVE-2024-37891 assigned
  • Not Available - Not Available releases security patch
  • 2024-06-17T20:15:13.450 - CVE CVE-2024-37891 published to NVD
  • 2025-11-03T22:17:00.957 - Last updated in NVD database

Technical Details for CVE-2024-37891

Vulnerability Analysis

The vulnerability lies in the handling of the Proxy-Authorization header during HTTP requests without proxy support. If users manually set this header and perform cross-origin redirects, urllib3 fails to remove the header, risking accidental exposure of credentials.

Root Cause

Mismanagement of HTTP headers during redirection when not using urllib3's built-in proxy support, causing potential credential exposure.

Attack Vector

Network-based threat via HTTP requests under specific conditions involving improperly configured headers.

python
# Example exploitation code (sanitized)
import urllib3

http = urllib3.PoolManager()

response = http.request(
    'GET', 'http://example.com',
    headers={'Proxy-Authorization': 'Bearer ...'}  # Misconfiguration leads to risk
)

Detection Methods for CVE-2024-37891

Indicators of Compromise

  • Unusual Proxy-Authorization headers in HTTP traffic
  • Cross-origin requests carrying sensitive headers
  • Unexpected cross-origin redirects

Detection Strategies

Leverage intrusion detection systems (IDS) to monitor HTTP traffic for unauthorized Proxy-Authorization headers, especially during cross-origin requests.

Monitoring Recommendations

Regularly audit HTTP header configurations and cross-origin traffic patterns to ensure sensitive headers aren't inadvertently exposed.

How to Mitigate CVE-2024-37891

Immediate Actions Required

  • Review all HTTP header configurations
  • Enforce proper proxy settings in all urllib3 usages
  • Disable HTTP redirects when not necessary

Patch Information

Update to urllib3 version 1.26.19 or 2.2.2 where it automatically strips the Proxy-Authorization header on redirects.

Workarounds

Utilize the built-in proxy support of urllib3 via ProxyManager or ensure redirects=False when setting sensitive headers.

python
# Configuration example
import urllib3

http = urllib3.PoolManager(
    redirects=False  # Disable automatic redirects
)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne