All urllib3 CVEs — Complete Vulnerability History
Last updated: April 1, 2026 · Data: OSV Database
urllib3 is the HTTP client underlying Python's requests library. It's one of the most downloaded packages on PyPI. CVEs here affect every application using requests transitively.
PyPI
300M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-11324 | 2019 | HIGH | Certificate verification bypass via crafted hostname | Fixed 1.24.2 |
| CVE-2021-33503 | 2021 | HIGH | ReDoS via crafted HTTP response | Fixed 1.26.5 |
| CVE-2023-43804 | 2023 | MEDIUM | Cookie header not stripped on redirect | Fixed 2.0.6 |
| CVE-2023-45803 | 2023 | MEDIUM | Request body not stripped after redirect | Fixed 2.0.7 |
Current safe version: 2.2.2
# Before
"urllib3==1.25.11"
# After
"urllib3==2.2.2"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is there a breaking change between urllib3 1.x and 2.x?
Yes — urllib3 2.x requires Python 3.8+, drops Python 2 support, and has API changes. requests pins to urllib3<3 so it works with both. If you use urllib3 directly, check the migration guide.
Does updating requests update urllib3?
Not to a specific version. requests accepts a range. Pin urllib3 explicitly in your requirements.txt if you need to force a specific safe version.