CVE-2018-25091 - urllib3 Authorization Header Leak When Following Cross-Origin Redirects

In this post, we will cover a security vulnerability identified as CVE-2018-25091, which affects urllib3 versions prior to 1.24.2. This vulnerability exposes the HTTP Authorization header for an application that uses the library when following cross-origin redirects, potentially leading to the leak of sensitive data or credentials across different hosts.

Background

The urllib3 is a popular, functions-packed HTTP library, often used by Python developers to send HTTP requests. However, urllib3 versions before 1.24.2 had an issue that does not remove the authorization HTTP header when following a cross-origin redirect, thus your credentials could be exposed to unintended hosts or transmitted in cleartext. This vulnerability exists because of an incomplete fix for CVE-2018-20060, which originally had a case-sensitive issue.

Here's an example of the issue within the urllib3 library

import urllib3

http = urllib3.PoolManager()

# Providing basic authentication credentials
headers = urllib3.util.make_headers(basic_auth='username:password')

# Requesting a URL that redirects to a different host
response = http.request('GET', 'https://example.com/redirect';, headers=headers)

In the code snippet above, the headers variable contains the Authorization header with the base64-encoded "username:password". When the request is made to https://example.com/redirect, it can potentially redirect to another host. urllib3 versions before 1.24.2 would not remove the authorization header when making the subsequent request after the redirect, potentially exposing the credentials in the header to the new host.

Exploit Details

An attacker could exploit this vulnerability by manipulating a cross-origin redirect, potentially leading to credential leakage across different hosts or transmission of sensitive data in cleartext.

For example, imagine an application that uses urllib3 to fetch resources from another domain, with its authorization header containing an API key. A well-crafted cross-origin redirect could potentially mislead the naïve application into sending the header, along with the API key, to an unintended host, hence allowing the attacker to acquire unauthorized access to the resource.

Solution

To patch this vulnerability, it's necessary to upgrade your urllib3 library to version 1.24.2 or later by running the following command:

pip install --upgrade urllib3

Further readings and original references

1. urllib3 documentation: https://urllib3.readthedocs.io/en/latest/
2. urllib3 issue related to CVE-2018-25091: https://github.com/urllib3/urllib3/issues/1553
3. CVE-2018-25091 Details: https://nvd.nist.gov/vuln/detail/CVE-2018-25091
4. CVE-2018-20060 Details: https://nvd.nist.gov/vuln/detail/CVE-2018-20060

Conclusion

It is highly recommended to update your urllib3 library to version 1.24.2 or later as soon as possible to prevent potential data leakage or unauthorized access. Regularly updating your libraries and staying informed about the latest security vulnerabilities is essential in ensuring the safety and security of your applications.

Timeline

Published on: 10/15/2023 19:15:00 UTC
Last modified on: 10/19/2023 14:01:00 UTC