Urllib3

This hub aggregates every CVE we track for Urllib3, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Urllib3.

• CVE-2026-44431urllib3: Sensitive headers forwarded across origins in proxied low-level redirects5.3May 13, 2026
• CVE-2026-44432urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API7.5May 13, 2026
• CVE-2026-21441urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)7.5Jan 7, 2026
• CVE-2025-66471urllib3 Streaming API improperly handles highly compressed data7.5Dec 5, 2025
• CVE-2025-66418urllib3 allows an unbounded number of links in the decompression chain7.5Dec 5, 2025
• CVE-2025-50182urllib3 does not control redirects in browsers and Node.js5.3Jun 19, 2025
• CVE-2025-50181urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation5.3Jun 19, 2025
• CVE-2024-37891Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib34.4Jun 17, 2024
• CVE-2023-45803Request body not stripped after redirect in urllib34.2Oct 17, 2023
• CVE-2018-25091urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials i...6.1Oct 15, 2023
• CVE-2023-43804`Cookie` HTTP header isn't stripped on cross-origin redirects5.9Oct 4, 2023
• CVE-2021-33503An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracki...7.5Jun 29, 2021
• CVE-2021-28363The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn'...6.5Mar 15, 2021
• CVE-2020-26137urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: ...6.5Sep 29, 2020
• CVE-2020-7212The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The perce...7.5Mar 6, 2020