urllib3 is vulnerable to CRLF injection. It is possible because it does not escape CRLF characters injected into the request parameter, allowing an attacker to manipulate the HTTP headers once the parameter is under control.
lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
access.redhat.com/errata/RHSA-2019:2272
access.redhat.com/errata/RHSA-2019:3335
access.redhat.com/errata/RHSA-2019:3590
bugs.python.org/issue36276#msg337837
github.com/urllib3/urllib3/commit/0aa3e24fcd75f1bb59ab159e9f8adb44055b2271
github.com/urllib3/urllib3/issues/1553
github.com/urllib3/urllib3/pull/1487
lists.debian.org/debian-lts-announce/2019/06/msg00016.html
lists.debian.org/debian-lts-announce/2021/06/msg00015.html
lists.fedoraproject.org/archives/list/[email protected]/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
lists.fedoraproject.org/archives/list/[email protected]/message/R62XGEYPUTXMRHGX5I37EBCGQ5COHGKR/
lists.fedoraproject.org/archives/list/[email protected]/message/TBI45HO533KYHNB5YRO43TBYKA3E3VRL/
lists.fedoraproject.org/archives/list/[email protected]/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
usn.ubuntu.com/3990-1/
usn.ubuntu.com/3990-2/