All urllib3 CVEs — Complete Vulnerability History
urllib3 is the HTTP client underlying Python's requests library. It's one of the most downloaded packages on PyPI. CVEs here affect every application using requests transitively.
PyPI
300M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-11324 | 2019 | HIGH | Certificate verification bypass via crafted hostname | Fixed 1.24.2 |
| CVE-2021-33503 | 2021 | HIGH | ReDoS via crafted HTTP response | Fixed 1.26.5 |
| CVE-2023-43804 | 2023 | MEDIUM | Cookie header not stripped on redirect | Fixed 2.0.6 |
| CVE-2023-45803 | 2023 | MEDIUM | Request body not stripped after redirect | Fixed 2.0.7 |
Current safe version: 2.2.2
# Before
"urllib3==1.25.11"
# After
"urllib3==2.2.2"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is there a breaking change between urllib3 1.x and 2.x?
Yes — urllib3 2.x requires Python 3.8+, drops Python 2 support, and has API changes. requests pins to urllib3<3 so it works with both. If you use urllib3 directly, check the migration guide.
Does updating requests update urllib3?
Not to a specific version. requests accepts a range. Pin urllib3 explicitly in your requirements.txt if you need to force a specific safe version.