## urllib3 Security Flaw Bypasses Redirect Protections Despite Disabled Retries A critical vulnerability in urllib3, a widely-used HTTP client library for Python, allows redirect requests to proceed even when application developers explicitly disable retry mechanisms. The flaw, tracked as CVE-2025-50181 and catalogued as GHSA-pq67-6m6q-mj2v, stems from how urllib3 consolidates redirect and retry handling within the same internal component controlled by the Retry object. The vulnerability affects urllib3 versions prior to 2.6.3, where the library fails to properly enforce redirect-disabling settings when a Retry object is used to instantiate a PoolManager. Under normal circumstances, developers who wish to prevent automatic request retries or redirects would configure the Retry object with appropriate flags. However, the shared mechanism means that disabling retries does not automatically prevent redirects, creating an unintended attack surface for potential request smuggling or redirection-based exploits. The security update patches the flaw by properly segregating redirect and retry logic, ensuring that applications relying on urllib3 for controlled HTTP client behavior can trust their explicit configurations. Users of affected versions are advised to upgrade to urllib3 2.6.3 immediately, particularly those operating services that handle sensitive redirects or rely on strict request boundaries. The broader implications extend to the Python ecosystem, where urllib3 serves as a foundational dependency for numerous libraries including requests, boto3, and many web frameworks. The vulnerability highlights the risks inherent in tightly coupled security mechanisms, where disabling one protective feature inadvertently leaves another layer exposed. Security teams should audit their dependencies to determine whether their applications are affected and prioritize patching accordingly. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: urllib3, CVE-2025-50181, security vulnerability, Python, HTTP library - **Credibility**: unverified - **Published**: 2026-04-28 18:54:09 - **ID**: 77909 - **URL**: https://whisperx.ai/en/intel/77909