Urllib3

Latest version: v2.3.0

Safety actively analyzes 710445 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 9 of 17

1.24.2

Not secure
===================

* Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or
``ssl_context`` parameters are specified.

* Remove Authorization header regardless of case when redirecting to cross-site. (Issue 1510)

* Add support for IPv6 addresses in subjectAltName section of certificates. (Issue 1269)

1.24.1

Not secure
===================

* Remove quadratic behavior within ``GzipDecoder.decompress()`` (Issue 1467)

* Restored functionality of ``ciphers`` parameter for ``create_urllib3_context()``. (Issue 1462)

1.24

Not secure
=================

* Allow key_server_hostname to be specified when initializing a PoolManager to allow custom SNI to be overridden. (Pull 1449)

* Test against Python 3.7 on AppVeyor. (Pull 1453)

* Early-out ipv6 checks when running on App Engine. (Pull 1450)

* Change ambiguous description of backoff_factor (Pull 1436)

* Add ability to handle multiple Content-Encodings (Issue 1441 and Pull 1442)

* Skip DNS names that can't be idna-decoded when using pyOpenSSL (Issue 1405).

* Add a server_hostname parameter to HTTPSConnection which allows for
overriding the SNI hostname sent in the handshake. (Pull 1397)

* Drop support for EOL Python 2.6 (Pull 1429 and Pull 1430)

* Fixed bug where responses with header Content-Type: message/* erroneously
raised HeaderParsingError, resulting in a warning being logged. (Pull 1439)

* Move urllib3 to src/urllib3 (Pull 1409)

1.23

Not secure
=================

* Allow providing a list of headers to strip from requests when redirecting
to a different host. Defaults to the ``Authorization`` header. Different
headers can be set via ``Retry.remove_headers_on_redirect``. (Issue 1316)

* Fix ``util.selectors._fileobj_to_fd`` to accept ``long`` (Issue 1247).

* Dropped Python 3.3 support. (Pull 1242)

* Put the connection back in the pool when calling stream() or read_chunked() on
a chunked HEAD response. (Issue 1234)

* Fixed pyOpenSSL-specific ssl client authentication issue when clients
attempted to auth via certificate + chain (Issue 1060)

* Add the port to the connectionpool connect print (Pull 1251)

* Don't use the ``uuid`` module to create multipart data boundaries. (Pull 1380)

* ``read_chunked()`` on a closed response returns no chunks. (Issue 1088)

* Add Python 2.6 support to ``contrib.securetransport`` (Pull 1359)

* Added support for auth info in url for SOCKS proxy (Pull 1363)

1.22

Not secure
=================

* Fixed missing brackets in ``HTTP CONNECT`` when connecting to IPv6 address via
IPv6 proxy. (Issue 1222)

* Made the connection pool retry on ``SSLError``. The original ``SSLError``
is available on ``MaxRetryError.reason``. (Issue 1112)

* Drain and release connection before recursing on retry/redirect. Fixes
deadlocks with a blocking connectionpool. (Issue 1167)

* Fixed compatibility for cookiejar. (Issue 1229)

* pyopenssl: Use vendored version of ``six``. (Issue 1231)

1.21.1

Not secure
===================

* Fixed SecureTransport issue that would cause long delays in response body
delivery. (Pull 1154)

* Fixed regression in 1.21 that threw exceptions when users passed the
``socket_options`` flag to the ``PoolManager``. (Issue 1165)

* Fixed regression in 1.21 that threw exceptions when users passed the
``assert_hostname`` or ``assert_fingerprint`` flag to the ``PoolManager``.
(Pull 1157)

Page 9 of 17

© 2025 Safety CLI Cybersecurity Inc. All Rights Reserved.