CVE-2025-50182 Overview
CVE-2025-50182 is a URL Redirection vulnerability (CWE-601) affecting urllib3, a widely-used HTTP client library for Python. The vulnerability exists in versions 2.2.0 through 2.4.x, where redirect control parameters are ignored when urllib3 operates within a Pyodide runtime environment. This allows the underlying JavaScript runtime (browser or Node.js) to determine redirect behavior instead of respecting urllib3's configured redirect policies.
Critical Impact
Applications using urllib3 in Pyodide environments may be vulnerable to open redirect attacks, as the retries and redirect parameters that developers rely on for redirect control are silently ignored, potentially leading to credential theft or phishing attacks.
Affected Products
- Python urllib3 versions 2.2.0 to 2.4.x
- Applications using urllib3 within Pyodide runtime environments
- Python applications running in browser or Node.js via Pyodide
Discovery Timeline
- June 19, 2025 - CVE-2025-50182 published to NVD
- December 22, 2025 - Last updated in NVD database
Technical Details for CVE-2025-50182
Vulnerability Analysis
This vulnerability stems from an inconsistency between urllib3's documented redirect control behavior and its actual behavior when executing within Pyodide. urllib3 supports operation in Pyodide runtime environments, which utilize either the JavaScript Fetch API or XMLHttpRequest as the underlying HTTP transport mechanism. This capability enables Python libraries to make HTTP requests directly from browsers or Node.js environments.
The core issue is that urllib3's retries and redirect parameters—which developers use to control redirect behavior and limit redirect chains—are completely ignored when running in Pyodide. Instead, the JavaScript runtime's default redirect handling takes precedence, bypassing any application-level redirect restrictions configured through urllib3.
Root Cause
The root cause is a design gap in urllib3's Pyodide integration layer. When urllib3 delegates HTTP requests to the JavaScript Fetch API or XMLHttpRequest, it fails to translate its redirect control parameters into equivalent JavaScript fetch options. The JavaScript runtime's native redirect handling operates independently, meaning any redirect=False or retries configuration specified in Python code has no effect on the actual HTTP behavior.
Attack Vector
An attacker can exploit this vulnerability through network-based attacks requiring user interaction. The attack scenario involves:
- An attacker identifies a web application using urllib3 in a Pyodide environment
- The attacker crafts a malicious URL that redirects to an attacker-controlled destination
- Even if the application has configured urllib3 to disallow or limit redirects, the JavaScript runtime follows the redirects anyway
- This can lead to open redirect attacks where users are silently redirected to phishing sites, or sensitive data (such as authentication tokens in URL parameters) being leaked to attacker-controlled servers via the redirect chain
The vulnerability is particularly concerning because developers may believe their redirect controls are functioning when they are actually being bypassed entirely.
Detection Methods for CVE-2025-50182
Indicators of Compromise
- Unexpected redirect chains in applications running urllib3 within Pyodide environments
- HTTP traffic showing redirects to external domains when application logic should prevent such behavior
- User reports of being redirected to unexpected or suspicious websites
- Authentication tokens or sensitive parameters appearing in redirect destination logs
Detection Strategies
- Review application dependencies to identify urllib3 versions between 2.2.0 and 2.4.x used in Pyodide contexts
- Audit code for urllib3 usage patterns that rely on redirect or retries parameters in browser/Node.js deployments
- Implement network monitoring to detect unexpected redirect behavior from Pyodide-based applications
- Test redirect control functionality explicitly in Pyodide environments to verify expected behavior
Monitoring Recommendations
- Monitor HTTP request logs for redirect chains that exceed expected limits
- Implement alerting for requests that redirect to domains outside an approved list
- Track urllib3 version usage across Pyodide deployments through dependency scanning
- Review client-side application behavior for signs of uncontrolled redirects
How to Mitigate CVE-2025-50182
Immediate Actions Required
- Upgrade urllib3 to version 2.5.0 or later immediately for all Pyodide-based deployments
- Audit applications using urllib3 in Pyodide to identify where redirect controls were expected to function
- Implement server-side redirect validation as an additional defense layer
- Review application logic to ensure no security-critical operations depend solely on urllib3 redirect controls in Pyodide
Patch Information
The urllib3 maintainers have addressed this vulnerability in version 2.5.0. The fix ensures that redirect control parameters are properly honored when urllib3 operates within Pyodide environments. Organizations should upgrade to version 2.5.0 or later to remediate this vulnerability.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-48p4-8xcf-vxj5 and the urllib3 2.5.0 Release Notes.
Workarounds
- Implement application-level URL validation before making requests to prevent redirects to untrusted domains
- Use Content Security Policy (CSP) headers to restrict navigation to approved origins
- Avoid passing sensitive data in URL parameters where redirect leakage could expose credentials
- Consider implementing a server-side proxy for HTTP requests if Pyodide-based redirect control is critical to security
# Upgrade urllib3 to patched version
pip install --upgrade "urllib3>=2.5.0"
# Verify installed version
pip show urllib3 | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
