Medium severity6.1NVD Advisory· Published Oct 15, 2023· Updated Jun 17, 2026
CVE-2018-25091
CVE-2018-25091
Description
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
urllib3PyPI | < 1.24.2 | 1.24.2 |
Affected products
4- ghsa-coords3 versionspkg:pypi/urllib3pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.24.2+ 2 more
- (no CPE)range: < 1.24.2
- (no CPE)range: < 1.23-3.25.1
- (no CPE)range: < 1.23-3.25.1
Patches
Vulnerability mechanics
References
6- github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbcnvdPatchWEB
- github.com/urllib3/urllib3/compare/1.24.1...1.24.2nvdPatchWEB
- github.com/urllib3/urllib3/issues/1510nvdIssue TrackingPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-gwvm-45gx-3cf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25091ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yamlghsaWEB
News mentions
0No linked articles in our index yet.