checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Update urllib3 to a more recent version due to known vulnerabilities

Open behnazh-w opened this issue 5 months ago • 3 comments

Describe the issue In setup.py, the version of urllib3 is pinned to an old release. The old versions are known to have security vulnerabilities. To avoid potential issues with outdated libraries, it would be better to update urllib3 to a more recent, secure version. Additionally, it would be good to specify a version range for urllib3 to allow for more flexibility and automatic updates to future patch releases, rather than pinning to a specific version.

Version (please complete the following information):

  • Checkov Version 3.2.457

behnazh-w avatar Jul 21 '25 07:07 behnazh-w

Hi, thank you for bringing this to our attention. We really appreciate your vigilance. After reviewing the CVE you mentioned, we can confirm that urllib3 version 1.26.20 is not affected by this vulnerability (CVE-2024-37891). This specific issue concerns the potential leakage of the Proxy-Authorization header during cross-origin redirects, which was fixed in versions 1.26.19 and later. The issue was fixed in this PR. Since Checkov uses 1.26.20, it is safe from this particular vulnerability. thank you again.

lirshindalman avatar Sep 21 '25 17:09 lirshindalman

for fixing this CVE. we are currently working on dropping support for Python 3.8. Once that is completed, we will be able to update the package.

lirshindalman avatar Sep 21 '25 17:09 lirshindalman

Thanks @lirshindalman for the response. Could you please leave a comment once the package is updated and/or possibly keep this issue open until then?

behnazh-w avatar Sep 22 '25 03:09 behnazh-w