MEDIUM · CVSS 4.4Disclosed 2024-06-17

CVE-2024-37891 — urllib3 proxy-auth credential leak through redirects

urllib3 forwarded Proxy-Authorization headers on cross-origin redirects, leaking proxy credentials to attacker-controlled hosts.

Affects

urllib3 < 1.26.19 / < 2.2.2

What an attacker does

Any Python HTTP client using urllib3 with proxy credentials could leak the Proxy-Authorization header to the redirect target. If the attacker controls the target, they capture the proxy credentials.

How to detect

`pip show urllib3`.

How to fix

Upgrade urllib3 to 1.26.19+ / 2.2.2+.

How Securie catches it

Securie flags urllib3 in the Python dependency tree + proxy usage.

References

urllib3 advisory