5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-50182

GHSA ID

GHSA-48p4-8xcf-vxj5

EPSS Score

0.00771%

CWE

CWE-601

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-50182

CVE-2025-50182: urllib3 does not control redirects in browsers and Node.js

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

Affected usages

Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Remediation

If you use urllib3 in Node.js, upgrade to a patched version of urllib3.

Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-50182

CVE-2025-50182:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-50182

GHSA ID

GHSA-48p4-8xcf-vxj5

EPSS Score

0.00771%

CWE

CWE-601

Published

6/18/2025

Updated

6/18/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urllib3	pip	< 2.5.0	2.5.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how urllib3 handled redirect control when operating within a Pyodide environment, specifically when that environment is Node.js. The core issue is that urllib3's parameters intended to control HTTP redirects (e.g., retries and redirect) were not being honored. Instead, the redirect behavior was dictated by the underlying JavaScript runtime (Node.js Fetch API defaults).

The function urllib3.contrib.emscripten.fetch.send_jspi_request is responsible for dispatching HTTP requests using the JavaScript fetch API in this context. The security patch (commit 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f) modifies this function. Specifically, it adds a check to determine if the code is running in Node.js (_is_node_js()). If it is, the patch ensures that fetch_data["redirect"] = "manual" is set before calling js.fetch(...).

This explicit setting of "redirect": "manual" instructs the Node.js Fetch API not to follow redirects automatically, thereby allowing urllib3's own logic (based on retries and redirect parameters) to manage the redirect process. Before this change, the absence of this manual setting meant that send_jspi_request effectively delegated redirect handling to the Node.js runtime, bypassing urllib3's controls. This could lead to vulnerabilities like SSRF or open redirects if an application developer relied on urllib3 to disable or limit redirects, but those settings were silently ignored in the Pyodide/Node.js environment.

Therefore, send_jspi_request is identified as the vulnerable function because, prior to the patch, it did not correctly implement the user-specified redirect controls when running in Node.js via Pyodide.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-50182: urllib3 does not control redirects in browsers and Node.js

Affected usages

Impact

Remediation

CVE-2025-50182:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-50182: urllib3 does not control redirects in browsers and Node.js

Affected usages

Impact

Remediation

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

5.3

5.3

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI