| Package | Version | Related CVEs |
|---|---|---|
| python-urllib3 | ||
| 1.19.1-1+deb9u4 (stretch), 1.24.1-1+deb10u4 (buster) | ||
| CVE-2025-50181 CVE-2025-66418 |
CVE-2025-50181
Redirects were not disabled when retries are disabled on PoolManager instantiation. An application attempting to mitigate server-side request forgery (SSRF) or open redirect vulnerabilities by disabling redirects at the PoolManager level remained vulnerable.
CVE-2025-66418
The number of links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps which could lead to denia…
| Package | Version | Related CVEs |
|---|---|---|
| python-urllib3 | ||
| 1.19.1-1+deb9u4 (stretch), 1.24.1-1+deb10u4 (buster) | ||
| CVE-2025-50181 CVE-2025-66418 |
CVE-2025-50181
Redirects were not disabled when retries are disabled on PoolManager instantiation. An application attempting to mitigate server-side request forgery (SSRF) or open redirect vulnerabilities by disabling redirects at the PoolManager level remained vulnerable.
CVE-2025-66418
The number of links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps which could lead to denial of service.
For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u4.
We recommend that you upgrade your python-urllib3 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.