| Package | python-urllib3 |
|---|---|
| Version | 1.19.1-1+deb9u4 (stretch), 1.24.1-1+deb10u4 (buster) |
| Related CVEs | CVE-2025-50181 CVE-2025-66418 |
- CVE-2025-50181
-
Redirects were not disabled when
retriesare disabled onPoolManagerinstantiation. An application attempting to mitigate server-side request forgery (SSRF) or open redirect vulnerabilities by disabling redirects at thePoolManagerlevel remained vulnerable. - CVE-2025-66418
-
The number of links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps which could lead to denial of service.
For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u4.
We recommend that you upgrade your python-urllib3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.