Vulnerable urllib3 embedded - CVE-2025-50181

[AndreaCuneo]

Virtualenv Versions [1.11.2,20.31.2] are affected by https://nvd.nist.gov/vuln/detail/CVE-2025-50181

SCA & SAST tools are complaining and requires Waivers/Exemptions due to the critical nature of the CVE.

Please upgrade to urllib 2.5.0

[esafak]

@gaborbernat Is this related to the breakage of CI? Otherwise the check workflow would update the wheels and fix this problem, right?

[gaborbernat]

We cannot update the wheels as we still support 3.8, so there's no way around this until we drop that next year.

[esafak]

3.8 is way past EOL, and 3.9 is EOL in October. I suggest setting a termination date (I could not find one) and warning 3.8 users on installation, assuming we don't.