opensearch_py-3.0.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 5.3)

[mend-for-github-com]

Vulnerable Library - opensearch_py-3.0.0-py3-none-any.whl

Path to dependency file: /ubi-data-generator/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20251115142043_KZJLVD/python_GPKGRT/202511151420431/env/lib/python3.9/site-packages/urllib3-1.26.20.dist-info

Found in HEAD commit: e2dcd52d203d58c93f588f83ebfe074a4d66d84b

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (opensearch_py version)	Remediation Possible**
CVE-2025-50181	Medium	5.3	urllib3-1.26.20-py2.py3-none-any.whl	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-50181

Vulnerable Library - urllib3-1.26.20-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/33/cf/8435d5a7159e2a9c83a95896ed596f68cf798005fe107cc655b5c5c14704/urllib3-1.26.20-py2.py3-none-any.whl

Path to dependency file: /ubi-data-generator/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20251115142043_KZJLVD/python_GPKGRT/202511151420431/env/lib/python3.9/site-packages/urllib3-1.26.20.dist-info

Dependency Hierarchy:

• opensearch_py-3.0.0-py3-none-any.whl (Root Library)
  • ❌ urllib3-1.26.20-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e2dcd52d203d58c93f588f83ebfe074a4d66d84b

Found in base branch: main

Vulnerability Details

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Publish Date: 2025-06-19

URL: CVE-2025-50181

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-19

Fix Resolution: urllib3 - 2.5.0,urllib3 - 2.5.0,https://github.com/urllib3/urllib3.git - 2.5.0

[sandeshkr419]

Dependent on: opensearch-project/opensearch-py#929 & opensearch-project/opensearch-py#929

Related: opensearch-project/opensearch-py#937

[jzonthemtn]

This issue reminds me of the sentiment in #86. The opensearch-py dependency is used by the ubi-data-generator and not by the plugin itself. I like having the data generator nearby, but in this case I think it just adds to complexity and confusion for users, as well as issues like these.

I would like to propose moving the ubi-data-generator out of this repository.

• Perhaps https://github.com/opensearch-project/dashboards-search-relevance would be a better home for it?
• Or somewhere else?
• Or perhaps I can be convinced this location is the best location for it.