chore(deps): update dependency urllib3 to v2.5.0 [security] #2331

renovate-bot · 2025-06-19T09:09:25Z

This PR contains the following updates:

Package	Change	Age	Confidence
urllib3 (changelog)	`==2.2.3` -> `==2.5.0`

GitHub Vulnerability Alerts

CVE-2025-50181

urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:

resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)

# 302

However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:

import urllib3

http = urllib3.PoolManager(retries=0)  # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0))  # equivalent to the above
http = urllib3.PoolManager(retries=False)  # should return the first response

resp = http.request("GET", "https://httpbin.org/redirect/1")

However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.

Affected usages

Passing retries on PoolManager instantiation to disable redirects or restrict their number.

By default, requests and botocore users are not affected.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.

Remediation

You can remediate this vulnerability with the following steps:

Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [email protected] to discuss sponsorship or contribution opportunities.
Disable redirects at the request() level instead of the PoolManager() level.

CVE-2025-50182

urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means you can use Python libraries to make HTTP requests from your browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects.

However, the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior.

Affected usages

Any code which relies on urllib3 to control the number of redirects for an HTTP request in a Pyodide runtime.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects may remain vulnerable if a Pyodide runtime redirect mechanism is unsuitable.

Remediation

If you use urllib3 in Node.js, upgrade to a patched version of urllib3.

Unfortunately, browsers provide no suitable way which urllib3 can use: XMLHttpRequest provides no control over redirects, the Fetch API returns opaqueredirect responses lacking data when redirects are controlled manually. Expect default browser behavior for redirects.

Release Notes

urllib3/urllib3 (urllib3)

`v2.5.0`

Compare Source

==================

Features

Added support for the compression.zstd module that is new in Python 3.14.
See PEP 784 <https://peps.python.org/pep-0784/>_ for more information. (#3610 <https://github.com/urllib3/urllib3/issues/3610>__)
Added support for version 0.5 of hatch-vcs (#3612 <https://github.com/urllib3/urllib3/issues/3612>__)

Bugfixes

Fixed a security issue where restricting the maximum number of followed
redirects at the urllib3.PoolManager level via the retries parameter
did not work.
Made the Node.js runtime respect redirect parameters such as retries
and redirects.
Raised exception for HTTPResponse.shutdown on a connection already released to the pool. (#3581 <https://github.com/urllib3/urllib3/issues/3581>__)
Fixed incorrect CONNECT statement when using an IPv6 proxy with connection_from_host. Previously would not be wrapped in []. (#3615 <https://github.com/urllib3/urllib3/issues/3615>__)

`v2.4.0`

Compare Source

==================

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

`v2.3.0`

Compare Source

==================

Features

Applied PEP 639 by specifying the license fields in pyproject.toml. (#3522 <https://github.com/urllib3/urllib3/issues/3522>__)
Updated exceptions to save and restore more properties during the pickle/serialization process. (#3567 <https://github.com/urllib3/urllib3/issues/3567>__)
Added verify_flags option to create_urllib3_context with a default of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python 3.13+. (#3571 <https://github.com/urllib3/urllib3/issues/3571>__)

Bugfixes

Fixed a bug with partial reads of streaming data in Emscripten. (#3555 <https://github.com/urllib3/urllib3/issues/3555>__)

Misc

Switched to uv for installing development dependecies. (#3550 <https://github.com/urllib3/urllib3/issues/3550>__)
Removed the multiple.intoto.jsonl asset from GitHub releases. Attestation of release files since v2.3.0 can be found on PyPI. (#3566 <https://github.com/urllib3/urllib3/issues/3566>__)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

dpebot · 2025-06-19T09:09:40Z

/gcbrun

dpebot · 2025-06-24T23:04:23Z

/gcbrun

dpebot · 2025-06-27T16:43:07Z

/gcbrun

dpebot · 2025-06-27T16:48:02Z

/gcbrun

dpebot · 2025-06-27T18:56:32Z

/gcbrun

dpebot · 2025-06-28T00:15:56Z

/gcbrun

dpebot · 2025-06-28T07:44:33Z

/gcbrun

dpebot · 2025-06-28T15:40:07Z

/gcbrun

dpebot · 2025-06-28T23:31:05Z

/gcbrun

dpebot · 2025-06-29T07:14:31Z

/gcbrun

dpebot · 2025-06-29T15:30:28Z

/gcbrun

dpebot · 2025-06-29T23:04:37Z

/gcbrun

dpebot · 2025-10-05T14:37:05Z

/gcbrun

dpebot · 2025-10-05T22:16:26Z

/gcbrun

dpebot · 2025-10-06T06:29:10Z

/gcbrun

dpebot · 2025-10-06T15:29:30Z

/gcbrun

dpebot · 2025-10-06T23:48:18Z

/gcbrun

dpebot · 2025-10-07T06:48:29Z

/gcbrun

dpebot · 2025-10-07T17:38:36Z

/gcbrun

dpebot · 2025-10-08T12:27:07Z

/gcbrun

dpebot · 2025-10-08T22:13:52Z

/gcbrun

dpebot · 2025-10-09T07:08:11Z

/gcbrun

dpebot · 2025-10-14T14:36:40Z

/gcbrun

dpebot · 2025-10-27T20:50:54Z

/gcbrun

forking-renovate · 2025-11-03T03:31:53Z

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/frontend/requirements.txt

Command failed: pip-compile --output-file=requirements.txt requirements.in
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/bin/pip-compile", line 7, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1462, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1383, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1246, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 814, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/scripts/compile.py", line 327, in cli
    for ireq in filter(is_pinned_requirement, ireqs):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/_compat/pip_compat.py", line 115, in parse_requirements
    install_req = copy_install_requirement(install_req)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/utils.py", line 503, in copy_install_requirement
    "use_pep517": template.use_pep517,
                  ^^^^^^^^^^^^^^^^^^^
AttributeError: 'InstallRequirement' object has no attribute 'use_pep517'

File name: src/accounts/userservice/requirements.txt

Command failed: pip-compile --output-file=requirements.txt requirements.in
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/bin/pip-compile", line 7, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1462, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1383, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1246, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 814, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/scripts/compile.py", line 327, in cli
    for ireq in filter(is_pinned_requirement, ireqs):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/_compat/pip_compat.py", line 115, in parse_requirements
    install_req = copy_install_requirement(install_req)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/utils.py", line 503, in copy_install_requirement
    "use_pep517": template.use_pep517,
                  ^^^^^^^^^^^^^^^^^^^
AttributeError: 'InstallRequirement' object has no attribute 'use_pep517'

File name: src/accounts/contacts/requirements.txt

Command failed: pip-compile --output-file=requirements.txt requirements.in
Traceback (most recent call last):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/bin/pip-compile", line 7, in <module>
    sys.exit(cli())
             ^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1462, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1383, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 1246, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/core.py", line 814, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/click/decorators.py", line 34, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/scripts/compile.py", line 327, in cli
    for ireq in filter(is_pinned_requirement, ireqs):
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/_compat/pip_compat.py", line 115, in parse_requirements
    install_req = copy_install_requirement(install_req)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/containerbase/tools/pip-tools/7.5.1/3.11.14/lib/python3.11/site-packages/piptools/utils.py", line 503, in copy_install_requirement
    "use_pep517": template.use_pep517,
                  ^^^^^^^^^^^^^^^^^^^
AttributeError: 'InstallRequirement' object has no attribute 'use_pep517'

dpebot · 2025-11-03T03:32:03Z

/gcbrun

dpebot · 2025-11-03T21:05:09Z

/gcbrun

renovate-bot requested review from a team and yoshi-approver as code owners June 19, 2025 09:09

forking-renovate bot added lang: python Issues specific to Python. type:security labels Jun 19, 2025

renovate-bot added lang: python Issues specific to Python. type:security labels Jun 19, 2025

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 2c46fa5 to 7c34637 Compare June 24, 2025 23:04

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 7c34637 to ec7cdec Compare June 27, 2025 16:42

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from ec7cdec to bbabb9b Compare June 27, 2025 16:47

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from bbabb9b to 95f5f7a Compare June 27, 2025 18:56

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 95f5f7a to b73f7a6 Compare June 28, 2025 00:15

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from b73f7a6 to 7f82ff4 Compare June 28, 2025 07:44

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 7f82ff4 to 4e6e732 Compare June 28, 2025 15:39

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 4e6e732 to 16fd6c0 Compare June 28, 2025 23:30

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 16fd6c0 to bed6533 Compare June 29, 2025 07:14

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from bed6533 to db28187 Compare June 29, 2025 15:30

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from db28187 to 421262b Compare June 29, 2025 23:04

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 421262b to 834e73e Compare June 30, 2025 15:04

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 3b3f43d to 1a82d3d Compare October 5, 2025 14:36

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 1a82d3d to 189e822 Compare October 5, 2025 22:16

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 189e822 to 0e21cf8 Compare October 6, 2025 06:29

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 0e21cf8 to 8c71659 Compare October 6, 2025 15:29

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 8c71659 to bc81025 Compare October 6, 2025 23:48

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from bc81025 to e12089f Compare October 7, 2025 06:48

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from e12089f to bb0a3d9 Compare October 7, 2025 17:38

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from bb0a3d9 to 8d2b2dd Compare October 8, 2025 12:26

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 8d2b2dd to 3664d2d Compare October 8, 2025 22:13

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 3664d2d to c39e07d Compare October 9, 2025 07:08

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from c39e07d to 0b22740 Compare October 14, 2025 14:36

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 0b22740 to b669f7f Compare October 27, 2025 20:50

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from b669f7f to 7668ec6 Compare November 3, 2025 03:31

chore(deps): update dependency urllib3 to v2.5.0 [security]

8dfd2b6

renovate-bot force-pushed the renovate/pypi-urllib3-vulnerability branch from 7668ec6 to 8dfd2b6 Compare November 3, 2025 21:04

chore(deps): update dependency urllib3 to v2.5.0 [security] #2331

Are you sure you want to change the base?

chore(deps): update dependency urllib3 to v2.5.0 [security] #2331

Uh oh!

Conversation

renovate-bot commented Jun 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-50181

Affected usages

Impact

Remediation

CVE-2025-50182

Affected usages

Impact

Remediation

Release Notes

v2.5.0

Features

Bugfixes

v2.4.0

Features

Bugfixes

Misc

v2.3.0

Features

Bugfixes

Misc

Configuration

Uh oh!

dpebot commented Jun 19, 2025

Uh oh!

dpebot commented Jun 24, 2025

Uh oh!

dpebot commented Jun 27, 2025

Uh oh!

dpebot commented Jun 27, 2025

Uh oh!

dpebot commented Jun 27, 2025

Uh oh!

dpebot commented Jun 28, 2025

Uh oh!

dpebot commented Jun 28, 2025

Uh oh!

dpebot commented Jun 28, 2025

Uh oh!

dpebot commented Jun 28, 2025

Uh oh!

dpebot commented Jun 29, 2025

Uh oh!

dpebot commented Jun 29, 2025

Uh oh!

dpebot commented Jun 29, 2025

Uh oh!

dpebot commented Oct 5, 2025

Uh oh!

dpebot commented Oct 5, 2025

Uh oh!

dpebot commented Oct 6, 2025

Uh oh!

dpebot commented Oct 6, 2025

Uh oh!

dpebot commented Oct 6, 2025

Uh oh!

dpebot commented Oct 7, 2025

Uh oh!

dpebot commented Oct 7, 2025

Uh oh!

dpebot commented Oct 8, 2025

Uh oh!

dpebot commented Oct 8, 2025

Uh oh!

dpebot commented Oct 9, 2025

Uh oh!

dpebot commented Oct 14, 2025

Uh oh!

dpebot commented Oct 27, 2025

Uh oh!

forking-renovate bot commented Nov 3, 2025

⚠️ Artifact update problem

renovate-bot commented Jun 19, 2025 •

edited

Loading

`v2.5.0`

`v2.4.0`

`v2.3.0`