The Fix
pip install urllib3==1.25.9
Based on closed urllib3/urllib3 issue #1790 · PR/commit linked
@@ -93,7 +93,7 @@ def _call_method(self):
path = urlsplit(path).path
- target = path[1:].replace("/", "_")
+ target = path[1:].split("/", 1)[0]
method = getattr(self, target, self.index)
repro.py
import urllib3
pool = urllib3.HTTPConnectionPool("localhost", 8000)
r = pool.urlopen("GET", "/../../../../doing/certain/check")
print(r.status)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install urllib3==1.25.9\nWhen NOT to use: This fix should not be used if path normalization is required for security compliance.\n\n
Why This Fix Works in Production
- Trigger: Issue with Parsing URIs - Breaks Security Tools when testing for Path Traversal
- Mechanism: Normalization of path segments in URI parsing was introduced, altering expected behavior
- Why the fix works: Adds a test to ensure that the ConnectionPool preserves path dot segments, addressing the issue with URI parsing that breaks security tools. (first fixed release: 1.25.9).
Production impact:
- If left unfixed, this can cause silent data inconsistencies that propagate (bad cache entries, incorrect downstream decisions).
Why This Breaks in Prod
- Normalization of path segments in URI parsing was introduced, altering expected behavior
- Production symptom (often without a traceback): Issue with Parsing URIs - Breaks Security Tools when testing for Path Traversal
Proof / Evidence
- GitHub issue: #1790
- Fix PR: https://github.com/urllib3/urllib3/pull/1828
- First fixed release: 1.25.9
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.67
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Hi all, I have documented the alternative solutions here: https://mazinahmed.net/blog/testing-for-path-traversal-with-python/ Thanks again!”
“Might be worth documenting it as an escape hatch as well?”
“Yeah I agree we should keep the previous behavior. My thoughts are that we should only do path normalization on redirects. Are you able to…”
“I think we should be good with those alternatives. Can we add a simple test case to ensure we preserve the non-normalizing behavior of using…”
Failure Signature (Search String)
- Issue with Parsing URIs - Breaks Security Tools when testing for Path Traversal
- I have noticed an odd behaviour in requests module, which uses urllib3. I inspected the root cause via regression testing and I found that the root cause of the issue is a change
Copy-friendly signature
signature.txt
Failure Signature
-----------------
Issue with Parsing URIs - Breaks Security Tools when testing for Path Traversal
I have noticed an odd behaviour in requests module, which uses urllib3. I inspected the root cause via regression testing and I found that the root cause of the issue is a change that was introduced in urlib3
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
Issue with Parsing URIs - Breaks Security Tools when testing for Path Traversal
I have noticed an odd behaviour in requests module, which uses urllib3. I inspected the root cause via regression testing and I found that the root cause of the issue is a change that was introduced in urlib3
Minimal Reproduction
repro.py
import urllib3
pool = urllib3.HTTPConnectionPool("localhost", 8000)
r = pool.urlopen("GET", "/../../../../doing/certain/check")
print(r.status)
What Broke
Security tools fail to detect path traversal vulnerabilities due to altered URI paths.
Why It Broke
Normalization of path segments in URI parsing was introduced, altering expected behavior
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.25.9
When NOT to use: This fix should not be used if path normalization is required for security compliance.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/1828
First fixed release: 1.25.9
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if path normalization is required for security compliance.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
- Add a long-running test that repeats the failing call path and asserts stable memory.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.25.9 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.