Skip to content

VULN UPGRADE: urllib3 (major → 2.6.3) [empty_dash]#159

Draft
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/empty_dash/4-1772727972
Draft

VULN UPGRADE: urllib3 (major → 2.6.3) [empty_dash]#159
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/empty_dash/4-1772727972

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Mar 5, 2026

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • empty_dash (pip)

Updates

Package From To Type Vulnerabilities Fixed
urllib3 1.22 2.6.3 major 3 CRITICAL, 11 HIGH, 12 MODERATE, 6 MEDIUM

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (14 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
urllib3 GHSA-www2-v7xj-xrc6 CRITICAL Exposure of Sensitive Information to an Unauthorized Actor in urllib3 1.22 1.23
urllib3 PYSEC-2018-32 CRITICAL - 1.22 1.23
urllib3 CVE-2018-20060 CRITICAL - 1.22 -
urllib3 GHSA-v845-jxx5-vc9f HIGH Cookie HTTP header isn't stripped on cross-origin redirects 1.22 2.0.6
urllib3 PYSEC-2019-133 HIGH - 1.22 1.24.2
urllib3 CVE-2021-33503 high - 1.22 -
urllib3 GHSA-q2q7-5pp4-w6pg HIGH Catastrophic backtracking in URL authority parser when passed URL containing many @ characters 1.22 1.26.5
urllib3 PYSEC-2021-108 high - 1.22 2d4a3fee6de2fa45eb82169361918f759269b4ec
urllib3 GHSA-2xpw-w6gg-jr37 HIGH urllib3 streaming API improperly handles highly compressed data 1.22 2.6.0
urllib3 CVE-2025-66471 HIGH urllib3 Streaming API improperly handles highly compressed data 1.22 -
urllib3 CVE-2026-21441 HIGH urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) 1.22 -
urllib3 GHSA-38jv-5279-wg99 HIGH Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) 1.22 2.6.3
urllib3 GHSA-mh33-7rrq-662w HIGH Improper Certificate Validation in urllib3 1.22 1.24.2
urllib3 CVE-2019-11324 HIGH - 1.22 -
ℹ️ Other Vulnerabilities (18)
Package CVE Severity Summary Unsafe Version Fixed In
urllib3 CVE-2023-45803 medium Request body not stripped after redirect in urllib3 1.22 -
urllib3 PYSEC-2023-212 medium - 1.22 4e98d57809dacab1cbe625fddeec1a290c478ea9
urllib3 CVE-2023-43804 medium Cookie HTTP header isn't stripped on cross-origin redirects 1.22 -
urllib3 PYSEC-2020-148 medium - 1.22 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
urllib3 CVE-2020-26137 medium - 1.22 -
urllib3 PYSEC-2023-192 medium - 1.22 644124ecd0b6e417c527191f866daa05a5a2056d
urllib3 GHSA-pq67-6m6q-mj2v MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 1.22 2.5.0
urllib3 GHSA-g4mx-q9vg-27p4 MODERATE urllib3's request body not stripped after redirect from 303 status changes request method to GET 1.22 2.0.7
urllib3 CVE-2025-50181 MODERATE urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation 1.22 -
urllib3 GHSA-wqvq-5m8c-6g24 MODERATE CRLF injection in urllib3 1.22 1.25.9
urllib3 GHSA-34jh-p97f-mpxf MODERATE urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects 1.22 1.26.19
urllib3 CVE-2024-37891 MODERATE Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 1.22 -
urllib3 PYSEC-2023-207 MODERATE - 1.22 adb358f8e06865406d1f05e581a16cbea2136fbc
urllib3 GHSA-r64q-w8jr-g9qp MODERATE Improper Neutralization of CRLF Sequences in urllib3 library for Python 1.22 1.24.3
urllib3 CVE-2019-11236 MODERATE - 1.22 -
urllib3 PYSEC-2019-132 MODERATE - 1.22 1.24.3
urllib3 CVE-2018-25091 MODERATE - 1.22 -
urllib3 GHSA-gwvm-45gx-3cf8 MODERATE Authorization Header forwarded on redirect 1.22 1.24.2
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
urllib3 1.22 - 2.6.3 empty_dash/requirements.txt

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-fixes-eol adms-high-severity adms-major-update adms-medium-severity adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants