CVE-2025-50181: urllib3 PoolManager Redirect Configuration Bypass Vulnerability

CVE-2025-50181 identifies a URL redirection vulnerability in urllib3 Python HTTP client library that enables attackers to bypass redirect security controls by exploiting inadequate PoolManager retries parameter handling, potentially facilitating server-side request forgery (SSRF) attacks through unintended redirect following. This vulnerability affects urllib3 versions prior to 2.5.0, achieving a CVSS score of 5.3 (Medium severity) with EPSS percentile of 1.0 indicating moderate exploit risk for Python applications utilizing urllib3 for HTTP requests with SSRF mitigation strategies relying on PoolManager-level redirect disabling. The vulnerability details reveal that improper processing of retries parameter during PoolManager instantiation causes redirect configuration settings to be ignored, enabling attackers to trigger redirects even when applications explicitly configure retries=0, retries=False, or retries=urllib3.Retry(redirect=0) to prevent redirect following, creating substantial exploit risk for web applications and API clients that depend on urllib3 redirect controls for SSRF protection and open redirect mitigation strategies. The root cause analysis reveals that the vulnerability stems from inadequate retries parameter processing in PoolManager.init and urlopen methods where insufficient validation causes redirect disabling configurations to be ignored during HTTP request processing, classified as CWE-601 (URL Redirection to Untrusted Site). The vulnerability specifically affects PoolManager initialization workflows where the constructor fails to properly translate retries parameters into appropriate Retry object configurations with raise_on_redirect attributes, enabling attackers to exploit known exploited vulnerabilities targeting HTTP redirect mechanisms to bypass SSRF protection controls that applications believe are active. Mitigation steps require upgrading to urllib3 version 2.5.0 which implements proper retries parameter handling in PoolManager.init to correctly configure Retry objects for redirect control enforcement, or alternatively disable redirects at the request level using redirect=False parameter instead of relying on PoolManager-level configuration. Organizations should prioritize identifying Python applications using vulnerable urllib3 versions with SSRF mitigation strategies based on PoolManager redirect disabling, implement request-level redirect controls as immediate workaround for applications unable to upgrade, validate all HTTP client configurations to ensure redirect controls are properly enforced, monitor for unexpected redirect behavior in HTTP request processing, and maintain updated vulnerability database records to track similar redirect bypass vulnerabilities that could compromise application security through SSRF attacks and broader security implications for web applications processing untrusted URLs with insufficient redirect validation controls.