CVE-2023-45803

CWE-200Information Exposure13 documents8 sources
Severity
4.2MEDIUM
EPSS
0.1%
top 84.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Urllib3 Urllib3Python Urllib3Fedoraproject Fedora
Timeline
PublishedOct 17
Latest updateSep 23

Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.5 | Impact: 3.6

Affected Packages4 packages

NVDpython/urllib32.0.02.0.7+1
Debianpython-urllib3< 1.26.5-1~exp1+deb11u1+3
PyPIurllib32.0.02.0.7+1
CVEListV5urllib3/urllib3< 1.26.18+1

Also affects: Fedora 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
python-pip vulnerabilities2025-09-23
OSV
python-urllib3 vulnerabilities2023-11-07
CVEList
Request body not stripped after redirect in urllib32023-10-17
GHSA
urllib3's request body not stripped after redirect from 303 status changes request method to GET2023-10-17
OSV
urllib3's request body not stripped after redirect from 303 status changes request method to GET2023-10-17

📋Vendor Advisories

6
Ubuntu
pip vulnerabilities2025-09-23
Ubuntu
pip vulnerabilities2023-11-15
Ubuntu
urllib3 vulnerabilities2023-11-07
Red Hat
urllib3: Request body not stripped after redirect from 303 status changes request method to GET2023-10-13
Microsoft
Request body not stripped after redirect in urllib32023-10-10
CVE-2023-45803 (MEDIUM CVSS 4.2) | urllib3 is a user-friendly HTTP cli | cvebase.io