CVE-2024-37891 – urllib3's CVE-2024-37891 allows the Proxy-Autho... (How to Fix)

Q: What is the severity of CVE-2024-37891?

CVE-2024-37891 has a CVSS score of 4.4 (MEDIUM). urllib3's CVE-2024-37891 allows the Proxy-Authorization header to leak during cross-origin redirects when configured incorrectly without using urllib3's built-in proxy support. This could expose proxy credentials to unintended servers if multiple specific conditions align. Only users manually setting Proxy-Authorization headers without proper proxy configuration are affected.

📋 TL;DR

urllib3's CVE-2024-37891 allows the Proxy-Authorization header to leak during cross-origin redirects when configured incorrectly without using urllib3's built-in proxy support. This could expose proxy credentials to unintended servers if multiple specific conditions align. Only users manually setting Proxy-Authorization headers without proper proxy configuration are affected.

💻 Affected Systems

Products:

urllib3

Versions: All versions before 1.26.19 and 2.2.2

Operating Systems: All operating systems running Python with urllib3

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Proxy-Authorization header is set manually without using urllib3's ProxyManager AND redirects are enabled AND redirects go to cross-origin servers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Proxy authentication credentials could be exposed to malicious servers if a vulnerable configuration redirects to an attacker-controlled domain.

🟠

Likely Case

Minimal impact due to the specific configuration requirements; most users won't be affected as proper proxy usage doesn't trigger this vulnerability.

🟢

If Mitigated

No credential exposure when using urllib3's ProxyManager correctly or with redirects disabled.

🌐 Internet-Facing: LOW - Requires specific misconfiguration and redirect to malicious server, which is unlikely in properly configured systems.

🏢 Internal Only: LOW - Same constraints apply internally; requires misconfiguration and malicious redirection within internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires specific misconfiguration, enabled redirects, and either HTTP origin or malicious redirect target. No known active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.26.19 or 2.2.2

Vendor Advisory: https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf

Restart Required: No

Instructions:

1. Update urllib3 using pip: 'pip install --upgrade urllib3==1.26.19' or 'pip install --upgrade urllib3==2.2.2'. 2. Verify installation with 'pip show urllib3'. 3. Test application functionality.

🔧 Temporary Workarounds

Use ProxyManager

all

Configure proxy authentication using urllib3's built-in ProxyManager instead of manually setting Proxy-Authorization headers.

Disable HTTP Redirects

all

Set redirects=False when making requests to prevent cross-origin redirects.

🧯 If You Can't Patch

Avoid manually setting Proxy-Authorization header without using ProxyManager
Implement application-level validation to strip Proxy-Authorization header before requests

🔍 How to Verify

Check if Vulnerable:

Check if urllib3 version is below 1.26.19 (for 1.x) or below 2.2.2 (for 2.x) AND code manually sets Proxy-Authorization header without using ProxyManager.

Check Version:

python -c "import urllib3; print(urllib3.__version__)"

Verify Fix Applied:

Verify urllib3 version is 1.26.19 or higher (1.x) or 2.2.2 or higher (2.x) using 'pip show urllib3' or 'python -c "import urllib3; print(urllib3.__version__)"'.

📡 Detection & Monitoring

Log Indicators:

Unusual cross-origin redirects in application logs
Failed proxy authentication attempts

Network Indicators:

Proxy-Authorization headers sent to non-proxy servers
Unexpected redirects to external domains

SIEM Query:

Search for HTTP requests containing Proxy-Authorization header with destination not matching configured proxy servers.

📊 Metadata

CVE ID: CVE-2024-37891

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-669

Published: June 17, 2024

Last Updated: January 6, 2026

🔗 References

https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Patch
https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf Vendor Advisory,Mitigation
https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Patch
https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf Vendor Advisory,Mitigation
https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20240822-0003/ Third Party Advisory
https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891 Exploit,Third Party Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37891, you might also want to check these: