5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-50181

GHSA ID

GHSA-pq67-6m6q-mj2v

EPSS Score

0.0102%

CWE

CWE-601

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-50181

CVE-2025-50181:
urllib3 PoolManager Redirect Configuration Bypass Vulnerability

CVE-2025-50181 identifies a URL redirection vulnerability in urllib3 Python HTTP client library that enables attackers to bypass redirect security controls by exploiting inadequate PoolManager retries parameter handling, potentially facilitating server-side request forgery (SSRF) attacks through unintended redirect following. This vulnerability affects urllib3 versions prior to 2.5.0, achieving a CVSS score of 5.3 (Medium severity) with EPSS percentile of 1.0 indicating moderate exploit risk for Python applications utilizing urllib3 for HTTP requests with SSRF mitigation strategies relying on PoolManager-level redirect disabling. The vulnerability details reveal that improper processing of retries parameter during PoolManager instantiation causes redirect configuration settings to be ignored, enabling attackers to trigger redirects even when applications explicitly configure retries=0, retries=False, or retries=urllib3.Retry(redirect=0) to prevent redirect following, creating substantial exploit risk for web applications and API clients that depend on urllib3 redirect controls for SSRF protection and open redirect mitigation strategies. The root cause analysis reveals that the vulnerability stems from inadequate retries parameter processing in PoolManager.init and urlopen methods where insufficient validation causes redirect disabling configurations to be ignored during HTTP request processing, classified as CWE-601 (URL Redirection to Untrusted Site). The vulnerability specifically affects PoolManager initialization workflows where the constructor fails to properly translate retries parameters into appropriate Retry object configurations with raise_on_redirect attributes, enabling attackers to exploit known exploited vulnerabilities targeting HTTP redirect mechanisms to bypass SSRF protection controls that applications believe are active. Mitigation steps require upgrading to urllib3 version 2.5.0 which implements proper retries parameter handling in PoolManager.init to correctly configure Retry objects for redirect control enforcement, or alternatively disable redirects at the request level using redirect=False parameter instead of relying on PoolManager-level configuration. Organizations should prioritize identifying Python applications using vulnerable urllib3 versions with SSRF mitigation strategies based on PoolManager redirect disabling, implement request-level redirect controls as immediate workaround for applications unable to upgrade, validate all HTTP client configurations to ensure redirect controls are properly enforced, monitor for unexpected redirect behavior in HTTP request processing, and maintain updated vulnerability database records to track similar redirect bypass vulnerabilities that could compromise application security through SSRF attacks and broader security implications for web applications processing untrusted URLs with insufficient redirect validation controls.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-50181

GHSA ID

GHSA-pq67-6m6q-mj2v

EPSS Score

0.0102%

CWE

CWE-601

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urllib3	pip	< 2.5.0	2.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2025-50181 in urllib3 (versions < 2.5.0) arises from the PoolManager failing to disable redirects when configured to do so via its retries parameter during instantiation. For example, PoolManager(retries=0) or PoolManager(retries=False) was intended to prevent any redirects, but this setting was ignored.

The root cause lies in two key methods of urllib3.poolmanager.PoolManager:

urllib3.poolmanager.PoolManager.__init__: The constructor was flawed because it did not properly process the retries argument (when passed as an integer like 0, or as False, or as a Retry object with redirect=0) to ensure that the internal Retry object for the PoolManager instance was configured to disallow redirects. The patch (commit f05b1329126d5be6de501f9d1e3e36738bc08857) introduces specific logic in __init__ to correctly create or modify the Retry object to set its raise_on_redirect attribute appropriately, thereby enforcing the no-redirect policy.
urllib3.poolmanager.PoolManager.urlopen: This method is responsible for making the actual HTTP request and applying the retry/redirect logic. It uses the Retry object associated with the PoolManager (if not overridden by a request-specific Retry object). In vulnerable versions, urlopen would use the Retry object that __init__ had failed to correctly configure for disabling redirects. Consequently, urlopen would follow redirects even when the PoolManager was initialized with the intent to disable them.

If an application relied on disabling redirects at the PoolManager level to mitigate risks like Server-Side Request Forgery (SSRF) or open redirects, this vulnerability would leave it exposed because the redirects would still be followed. The fix ensures that the retries parameter in PoolManager.__init__ correctly translates to a redirect policy that urlopen then enforces.

Vulnerable functions

urllib3.poolmanager.PoolManager.__init__

src/urllib3/poolmanager.py

This constructor method was vulnerable because it did not correctly interpret the `retries` parameter (e.g., `retries=0`, `retries=False`, or `Retry(redirect=0)`) passed during `PoolManager` instantiation to disable redirects for all subsequent requests. It failed to properly configure the internal `Retry` object to prevent redirects, meaning the user's intent to disable them was not honored.

urllib3.poolmanager.PoolManager.urlopen

src/urllib3/poolmanager.py

This method executes HTTP requests and handles retries and redirects. It was vulnerable because it would use the `Retry` object configured by the `PoolManager`'s `__init__` method. Since `__init__` failed to correctly set up the `Retry` object to disable redirects when specified (e.g. `PoolManager(retries=0)`), `urlopen` would inadvertently follow redirects, contrary to the user's expectation set at the `PoolManager` level.

WAF Protection Rules

WAF Rule

urlli** **n*l*s r**ir**ts *n* r*tri*s usin* t** s*m* m****nism, w*i** is *ontroll** *y t** `R*try` o*j**t. T** most *ommon w*y to *is**l* r**ir**ts is *t t** r*qu*st l*v*l, *s *ollows: ```pyt*on r*sp = urlli**.r*qu*st("**T", "*ttps://*ttp*in.or*/r**

Reasoning

T** vuln*r**ility *V*-****-***** in urlli** (v*rsions < *.*.*) *ris*s *rom t** `PoolM*n***r` **ilin* to *is**l* r**ir**ts w**n *on*i*ur** to *o so vi* its `r*tri*s` p*r*m*t*r *urin* inst*nti*tion. *or *x*mpl*, `PoolM*n***r(r*tri*s=*)` or `PoolM*n***r

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-50181: urllib3 PoolManager Redirect Configuration Bypass Vulnerability

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-50181:
urllib3 PoolManager Redirect Configuration Bypass Vulnerability

Vulnerability Intelligence
Miggo AI