Intel

AIKIDO-2026-488356

urllib is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized ActorCVE-2026-55553 Published Jul 1, 2026

75

High Risk

This Affects:

JSurllib
0.0.1 - 2.44.0
Fixed in 2.44.1
4.0.0 - 4.9.0
Fixed in 4.9.1
Are you affected? Scan for Free

TL;DR

urllib follows HTTP redirects when followRedirect is enabled and reuses the caller-supplied request options on each hop. On a cross-origin redirect it forwards credential-bearing headers such as Authorization, Cookie, and Proxy-Authorization, and re-applies the auth/digestAuth options, to the new origin. An attacker-controlled, compromised, or misconfigured redirect target can therefore receive credentials that were intended only for the original host. The fix detects cross-origin redirects and strips these credential headers and clears auth/digestAuth, while leaving same-origin redirects and the caller's headers object unchanged.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you send authenticated requests with credential-bearing headers or auth/digestAuth while following redirects.

Background info

urllib is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 4.0.0 - 4.9.0 and 0.0.1 - 2.44.0.

How to fix this

Upgrade the urllib library to the patch version.