Bug 2373800 (CVE-2025-50182)
| Summary: | CVE-2025-50182 urllib3: urllib3 does not control redirects in browsers and Node.js | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abarbaro, adinn, adistefa, adudiak, alinfoot, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, caswilli, cochase, crizzo, davidn, david.sastre, dfreiber, dhanak, dnakabaa, doconnor, dranck, drosa, drow, dsimansk, dtrifiro, ehelms, fzakkak, galder.zamarreno, ggainey, haoli, hasun, hkataria, jajackso, jburrell, jcammara, jchui, jdobes, jfula, jhe, jkoehler, jmitchel, jneedle, jowilson, jsamir, jtanner, juwatts, jwendell, jwong, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lcouzens, lgamliel, ljawale, lphiri, luizcosta, mabashia, matzew, mbabacek, mhulan, mnovotny, mskarbek, nboldt, ngough, nmoumoul, nweather, nyancey, oezr, olubyans, omaciel, ometelka, orabin, osousa, pakotvan, pbraun, pcreech, pjindal, psrna, ptisnovs, qguo, rbobbitt, rbryant, rcernich, rchan, rfreiman, sausingh, sbiarozk, sdoran, sfeifer, sgehwolf, shvarugh, simaishi, smallamp, smcdonal, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tqvarnst, ttakamiy, veshanka, vkumar, weaton, xdharmai, xiaoxwan, yguenane, zdohnal, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in urllib3. The library fails to properly validate redirect URLs, allowing an attacker to manipulate redirect chains when used in environments like Pyodide utilizing the JavaScript Fetch API. This lack of validation can enable a remote attacker to control the redirect destination, leading to arbitrary URL redirection. Consequently, an attacker can redirect users to malicious websites. This
vulnerability stems from a failure to constrain the redirect target.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2373822, 2373825, 2373820, 2373821, 2373823, 2373824 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-06-19 02:01:09 UTC
|