Applications that authenticate to external APIs or internal services through proxies may silently forward login credentials or session tokens to unintended servers during redirect events, without any error or alert. If an attacker controls or compromises a redirect destination, they can harvest those credentials and use them to impersonate the application or its users against downstream systems. For organizations in regulated industries where API credentials gate access to sensitive data, this exposure could trigger notification obligations under breach reporting frameworks.
You Are Affected If
You run Python applications with urllib3 >= 1.23 and < 2.7.0 installed (directly or as a transitive dependency via packages such as requests, boto3, or the Kubernetes Python client)
Those applications route HTTP requests through a proxy server (forward proxy, SOCKS proxy, or HTTP_PROXY/HTTPS_PROXY environment variable configuration)
The application follows HTTP redirects automatically (urllib3 default behavior) without disabling redirect following
Requests include Authorization or Cookie headers containing credentials or session tokens
The redirect chain crosses an origin boundary — the redirect destination has a different hostname or scheme than the original request target
Board Talking Points
A widely used Python networking library contains a flaw that can silently forward login credentials to unintended external servers during normal API operations.
Upgrade the affected library (urllib3) to version 2.7.0 or later across all Python applications; a full inventory and patching cycle should complete within your standard Medium-severity SLA.
Without remediation, any application using this library through a proxy could expose service credentials to third-party servers, creating a pathway for unauthorized access to internal systems.
PCI-DSS — if affected Python applications transmit or authenticate against payment processing APIs, credential leakage to unintended origins may constitute a controls failure under Requirement 6 (secure development) and Requirement 8 (access control)
HIPAA — if affected applications handle ePHI or authenticate to health data APIs through proxied connections, unauthorized credential disclosure may implicate the Security Rule's transmission security and access control requirements
