urllib3, Open Redirect Vulnerability, CVE-2023-43804 (Medium)

By /

Listen to this Post

How the CVE Works:

CVE-2023-43804 affects urllib3 when used in a Pyodide runtime (browser/Node.js). The library’s redirect and retry controls are ignored, deferring to the runtime’s default redirect handling (JavaScript Fetch/XHR). This bypasses SSRF/open-redirect mitigations, as Pyodide enforces its own redirect logic. Attackers could abuse this to force unintended HTTP redirects, exposing internal services or phishing users. Node.js users can patch, but browser environments remain vulnerable due to Fetch/XHR limitations.

DailyCVE Form:

Platform: urllib3 (Pyodide)
Version: <2.0.0
Vulnerability: Open Redirect
Severity: Medium
Date: 2023-09-28

Prediction: Patch by Nov 2023

What Undercode Say:

import urllib3
http = urllib3.PoolManager()
response = http.request('GET', 'https://attacker.com', redirect=False) Ignored in Pyodide

// Pyodide’s default Fetch behavior:
fetch('https://victim.com/api', { redirect: 'manual' }); // Opaque response

How Exploit:

  1. Craft malicious URL with redirect to internal service.

2. Trigger request via Pyodide-bound urllib3.

3. Browser/Node.js follows redirect, bypassing library controls.

Protection from this CVE:

  • Node.js: Upgrade urllib3.
  • Browser: No fix; avoid critical logic in Pyodide.

Impact:

  • SSRF escalation.
  • Open redirect abuse.
  • Bypassed security controls.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top