HIGH PyPI
GHSA-2xpw-w6gg-jr37 · CVE-2025-66471 urllib3 streaming API improperly handles highly compressed data
Modified: 2/4/2026
package
PyPI / urllib3
pkg:pypi/urllib3
MEDIUM 4.4 PyPI
GHSA-34jh-p97f-mpxf · CVE-2024-37891 urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-38jv-5279-wg99 · CVE-2026-21441 Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
Modified: 2/4/2026
MEDIUM 5.3 PyPI
GHSA-48p4-8xcf-vxj5 · CVE-2025-50182 urllib3 does not control redirects in browsers and Node.js
Modified: 2/4/2026
MEDIUM 6.5 PyPI
GHSA-5phf-pp7p-vc2r · CVE-2021-28363, PYSEC-2021-59 Using default SSLContext for HTTPS requests in an HTTPS proxy doesn't verify certificate hostname for proxy connection
Modified: 3/13/2026
MEDIUM 4.2 PyPI
GHSA-g4mx-q9vg-27p4 · CVE-2023-45803, PYSEC-2023-212 urllib3's request body not stripped after redirect from 303 status changes request method to GET
Modified: 2/4/2026
HIGH PyPI
GHSA-gm62-xv2j-4w53 · CVE-2025-66418 urllib3 allows an unbounded number of links in the decompression chain
Modified: 2/4/2026
MEDIUM 6.1 PyPI
GHSA-gwvm-45gx-3cf8 · CVE-2018-25091, PYSEC-2023-207 Authorization Header forwarded on redirect
Modified: 11/18/2024
HIGH 7.5 PyPI
GHSA-hmv2-79q8-fv6g · CVE-2020-7212, PYSEC-2020-149 Uncontrolled Resource Consumption in urllib3
Modified: 11/18/2024
HIGH 7.5 PyPI
GHSA-mf9v-mfxr-j63j · CVE-2026-44432, PYSEC-2026-142 urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
Modified: 5/20/2026
HIGH 7.5 PyPI
GHSA-mh33-7rrq-662w · CVE-2019-11324, PYSEC-2019-133 Improper Certificate Validation in urllib3
Modified: 11/18/2024
MEDIUM 5.3 PyPI
GHSA-pq67-6m6q-mj2v · CVE-2025-50181 urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-q2q7-5pp4-w6pg · CVE-2021-33503, PYSEC-2021-108 Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
Modified: 3/13/2026
MEDIUM 5.3 PyPI
GHSA-qccp-gfcp-xxvc · CVE-2026-44431, PYSEC-2026-141 urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
Modified: 5/20/2026
MEDIUM 6.1 PyPI
GHSA-r64q-w8jr-g9qp · CVE-2019-11236, PYSEC-2019-132 Improper Neutralization of CRLF Sequences in urllib3 library for Python
Modified: 11/18/2024
LOW 3.7 PyPI
GHSA-v4w5-p2hg-8fh6 · CVE-2016-9015, PYSEC-2017-98 Urllib3 Incorrect Certificate Validation
Modified: 11/18/2024
MEDIUM 5.9 PyPI
GHSA-v845-jxx5-vc9f · CVE-2023-43804, PYSEC-2023-192 `Cookie` HTTP header isn't stripped on cross-origin redirects
Modified: 2/4/2026
MEDIUM 6.5 PyPI
GHSA-wqvq-5m8c-6g24 · CVE-2020-26137, PYSEC-2020-148 CRLF injection in urllib3
Modified: 11/18/2024
CRITICAL 9.8 PyPI
GHSA-www2-v7xj-xrc6 · CVE-2018-20060, PYSEC-2018-32 Exposure of Sensitive Information to an Unauthorized Actor in urllib3
Modified: 12/27/2024
— PyPI
PYSEC-2017-98 · CVE-2016-9015, GHSA-v4w5-p2hg-8fh6 Modified: 11/8/2023
— PyPI
PYSEC-2018-32 · CVE-2018-20060, GHSA-www2-v7xj-xrc6 Modified: 11/8/2023
— PyPI
PYSEC-2019-132 · CVE-2019-11236, GHSA-r64q-w8jr-g9qp Modified: 11/8/2023
— PyPI
PYSEC-2019-133 · CVE-2019-11324, GHSA-mh33-7rrq-662w Modified: 11/8/2023
— PyPI
PYSEC-2020-148 · CVE-2020-26137, GHSA-wqvq-5m8c-6g24 Modified: 11/8/2023
— PyPI
PYSEC-2020-149 · CVE-2020-7212, GHSA-hmv2-79q8-fv6g Modified: 11/8/2023
— PyPI
PYSEC-2021-108 · CVE-2021-33503, GHSA-q2q7-5pp4-w6pg Modified: 6/8/2026
— PyPI
PYSEC-2021-59 · CVE-2021-28363, GHSA-5phf-pp7p-vc2r Modified: 11/8/2023
HIGH 8.1 PyPI
PYSEC-2023-192 · CVE-2023-43804, GHSA-v845-jxx5-vc9f Modified: 11/8/2023
MEDIUM 6.1 PyPI
PYSEC-2023-207 · CVE-2018-25091, GHSA-gwvm-45gx-3cf8 Modified: 11/8/2023
MEDIUM 4.2 PyPI
PYSEC-2023-212 · CVE-2023-45803, GHSA-g4mx-q9vg-27p4 Modified: 11/8/2023
MEDIUM 5.3 PyPI
PYSEC-2026-141 · CVE-2026-44431, GHSA-qccp-gfcp-xxvc Modified: 5/20/2026
HIGH 7.5 PyPI
PYSEC-2026-142 · CVE-2026-44432, GHSA-mf9v-mfxr-j63j Modified: 5/20/2026