{"id":"PYSEC-2026-1995","summary":"urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects","details":"When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\n* Not disabling HTTP redirects.\n* Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.\n\n## Remediation\n\n* Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Proxy-Authorization` header.","aliases":["CVE-2024-37891","GHSA-34jh-p97f-mpxf"],"modified":"2026-07-07T17:48:15.400192088Z","published":"2026-07-07T14:34:34.848392Z","references":[{"type":"WEB","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37891"},{"type":"WEB","url":"https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468"},{"type":"WEB","url":"https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e"},{"type":"PACKAGE","url":"https://github.com/urllib3/urllib3"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240822-0003"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891"},{"type":"PACKAGE","url":"https://pypi.org/project/urllib3"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-34jh-p97f-mpxf"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.19"},{"introduced":"2.0.0"},{"fixed":"2.2.2"}]}],"versions":["0.2","0.3","0.3.1","0.4.0","0.4.1","1.0","1.0.1","1.0.2","1.1","1.10","1.10.1","1.10.2","1.10.3","1.10.4","1.11","1.12","1.13","1.13.1","1.14","1.15","1.15.1","1.16","1.17","1.18","1.18.1","1.19","1.19.1","1.2","1.2.1","1.2.2","1.20","1.21","1.21.1","1.22","1.23","1.24","1.24.1","1.24.2","1.24.3","1.25","1.25.1","1.25.10","1.25.11","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.25.9","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.17","1.26.18","1.26.2","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","1.3","1.4","1.5","1.6","1.7","1.7.1","1.8","1.8.2","1.8.3","1.9","1.9.1","2.0.0","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.2.0","2.2.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-1995.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}