Headline
GHSA-48p4-8xcf-vxj5: urllib3 does not control redirects in browsers and Node.js
urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.
However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.
Affected usages
Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.
Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.
Remediation
If you use urllib3 in Node.js, upgrade to a patched version of urllib3.
Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.
urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.
However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.
Affected usages
Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.
Impact
Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.
Remediation
If you use urllib3 in Node.js, upgrade to a patched version of urllib3.
Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.
References
- GHSA-48p4-8xcf-vxj5
- urllib3/urllib3@7eb4a2a