urllib is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
75
High Risk
urllib follows HTTP redirects when followRedirect is enabled and reuses the caller-supplied request options on each hop. On a cross-origin redirect it forwards credential-bearing headers such as Authorization, Cookie, and Proxy-Authorization, and re-applies the auth/digestAuth options, to the new origin. An attacker-controlled, compromised, or misconfigured redirect target can therefore receive credentials that were intended only for the original host. The fix detects cross-origin redirects and strips these credential headers and clears auth/digestAuth, while leaving same-origin redirects and the caller's headers object unchanged.
You are affected if you are using a version that falls within the vulnerable range and you send authenticated requests with credential-bearing headers or auth/digestAuth while following redirects.
urllib is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 4.0.0 - 4.9.0 and 0.0.1 - 2.44.0.
Upgrade the urllib library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant