Security Issue: Cannot Mitigate CVE-2025-66471 Due to urllib3 v2.6.0 Incompatibility

[VDigitall]

Security Issue: Cannot Mitigate CVE-2025-66471 Due to urllib3 v2.6.0 Incompatibility

Critical Problem

The docusign-esign library is currently unable to mitigate CVE-2025-66471 because it is incompatible with urllib3 v2.6.0+, which is the version that fixes this vulnerability.

Vulnerability Details

• CVE ID: CVE-2025-66471
• Affected Versions: urllib3 < 2.6.0
• Severity: CRITICAL/HIGH
• Fixed In: urllib3 2.6.0+
• Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-66471

The Incompatibility Problem

urllib3 v2.6.0 removed deprecated methods that docusign-esign depends on, making it impossible to simply update the version constraint. The library currently relies on deprecated urllib3 APIs that no longer exist in v2.6.0+.

This creates a security deadlock:

• ❌ Cannot use urllib3 < 2.6.0 → Vulnerable to CVE-2025-66471
• ❌ Cannot use urllib3 >= 2.6.0 → Incompatible due to removed deprecated methods
• ⚠️ Result: Users are forced to use vulnerable urllib3 versions

Impact on Users

• 🚨 All users are exposed to CVE-2025-66471 with no mitigation path
• 🚨 Security scanners will flag this vulnerability in production environments
• 🚨 Compliance and audit failures for organizations using this library
• 🚨 Cannot pass security reviews for new deployments

Root Cause

The docusign-esign library uses deprecated urllib3 methods that were removed in v2.6.0. This prevents updating to secure urllib3 versions.

References

• CVE-2025-66471 - NVD
• urllib3 v2.0.0 Release Notes
• urllib3 v2.0 Migration Guide

[dmartin00]

Thank you for reaching out. I've filed an internal work ticket to track this request. For reference, that tracking ticket number is DCM-15818

[VDigitall]

Good news, thanks. There is pull request that solves the issue #207

[garg-mudit]

@VDigitall Added a reply in the PR comments. Can you please have a look