Welcome to the 2025 annual report for urllib3.
I’m Illia, and this is my first time writing this update for the second most downloaded Python package. Long-time readers will recognize these reports from Seth Larson or Quentin Pradet, but this year I’m taking the baton to share what we’ve been up to.
2025 was a busy year defined by security hardening and future-proofing. We released 5 versions and merged over 100 pull requests, working to secure the library and prepare it for Python 3.14. For the first time ever, urllib3 was installed over 1 billion times per month consistently throughout the last quarter, signaling new levels of adoption for both the Python language and foundational open source libraries like urllib3.
With our usage reaching unprecedented scales, security has never been more critical. This year, we underwent our first-ever professional security audit, established a security policy, and completed specialized security training to ensure urllib3 remains a safe foundation for the internet.
On the technical front, we didn’t just wait for the new Python version; we integrated its features early. A major highlight was our adoption of the new compression.zstd module (PEP 784). By shipping this support in version 2.5.0, months before Python 3.14 officially landed, we ensured that urllib3 users could benefit from native Zstandard support on day one.
It was also a year that challenged our assumptions about API evolution. In version 2.6.0, we removed two methods, reasoning that they had been emitting DeprecationWarning for years. We assumed that users had seen the warnings and migrated. We were wrong. Many users didn’t know the methods were deprecated until they were gone. We listened to the immediate feedback and restored compatibility in v2.6.1. It was a reminder that maintaining a foundational library requires meeting users where they are, not just where the warnings say they should be.
Here is a deeper look at what we accomplished together in 2025.
A New Chapter in Leadership
In July 2025, I, Illia Volochii, was honored to accept the role of Lead Maintainer for urllib3, succeeding Seth Michael Larson, who had led the project since 2019, guiding us through the massive v2.0 release and setting a high standard for open source stewardship. I am incredibly grateful for his trust.
Having contributed to urllib3 for over three years, I am excited to guide the project into its next phase. Alongside my co-maintainers Quentin and Seth, I look forward to keeping urllib3 the reliable foundation that the Python ecosystem depends on.
Security
Security was a primary theme for urllib3 in 2025. We believe it is a continuous process that involves not just patching bugs but also proactively hunting for them and improving our skills.
First professional security audit
This year marked a significant milestone: urllib3 underwent its first professional security audit performed by 7ASecurity and facilitated by OSTIF. Having a third party scrutinize our codebase provided a fresh perspective and helped us identify useful security features for the future. The full report of our audit from 7ASecurity is forthcoming and will be shared by us once available.
Security training
We also invested in the human side of security. Maintainers participated in professional training to better understand modern threat models and secure coding practices. Applying these lessons helps us ensure that urllib3 remains secure for the millions of applications relying on it.
Vulnerabilities
A special feature of 2025 was publishing two thematic batches of security advisories:
- v2.5.0 fixed moderate-severity CVE-2025-50181 and CVE-2025-50182 related to redirects control
- v2.6.0 fixed high-severity CVE-2025-66471 and CVE-2025-66418, which marked the beginning of an ongoing series of security hardenings for the response decompression logic (this part is so involved that it deserves a separate post)
Also, these four were the first vulnerabilities without fixes backported to the 1.x release line. Support for urllib3 1.x and Python 2 was sunset by the previous annual report. And we have received close to no complaints, to our surprise!
Researchers used six different channels to report around 20 potential vulnerabilities to us. Most of these were invalid, and while some were clearly AI-assisted, we were fortunately not overwhelmed by AI-generated noise.
New security policy
To provide clarity for our users and researchers, we wrote and published a formal Security Policy. This document outlines exactly how we handle vulnerability reports, what users can expect regarding security updates, and, crucially, defines the scope of support for experimental features, such as in-development HTTP/2 support.
Helping the ecosystem
We transferred one of the received reports to the Python Security Response Team; this sped up merging a remediation for CVE-2025-13836. On our side, we reviewed the proposed fix for CPython and helped reduce the introduced performance penalty beforehand.
Also, we helped our optional dependency, BrotliCFFI, to pull updates from the upstream Brotli 1.2.0 release. This allowed urllib3 users to use Brotli more securely on PyPy.
Downloads
urllib3 operates at a scale that is sometimes hard to visualize. In 2025, the numbers continued to grow, reinforcing the library’s position as a critical component of the internet’s infrastructure.
In 2025, urllib3 was downloaded 10,881,224,612 times from PyPI. The fourth quarter marked a massive milestone for the project. For the first time, urllib3 consistently exceeded 1 billion downloads per month on PyPI alone (October, November, and December).
Downloads in millions based on the PyPI dataset
Green: v2.x / Orange: v1.x EOL
As massive as these PyPI numbers are, they likely undercount the library’s actual reach. urllib3 is bundled inside pip, which means that almost every Python installation, whether on a laptop, a server, or a CI runner, contains a copy of urllib3 that never registers as a PyPI download. When we account for this, along with downstream packaging in Linux distributions and Conda, we estimate the true usage is greater than 1.5 billion monthly downloads.
Funding and Sustainability
Sustainability is about more than just code, it is about ensuring the people who maintain that code can afford to do so. In 2025, urllib3 continued to be supported by a diverse funding model:
- Tidelift (acquired by Sonar a year ago) provides monthly payouts to maintainers in exchange for assurances about license compliance and security maintenance, bridging the gap between open source and enterprise needs.
- Direct Sponsorships: Individuals and companies support us directly via GitHub Sponsors and Open Collective. If you rely on urllib3, please consider joining them!
- Algorithmic & Ecosystem Funding: We receive recurring support from thanks.dev (which helps companies distribute funds to their dependency tree) and ecosyste.ms Funds (a platform designed to sustain critical open source infrastructure).
We are especially grateful for significant sponsorships this year from Tidelift, AWS, American Express, and Sentry. Their contributions have been instrumental in sustaining our work.
We believe in fair compensation for open source work. The funds raised on Open Collective are available to offer hourly compensation to our maintainers and core contributors. This option ensures financial support is available for team members who wish to receive it and can do so.
We also maintain a bounty program to encourage contributions on selected issues. While the program is alive and funded, it was relatively quiet in 2025, with just one bounty claimed. We encourage developers looking for a challenge to check our issue tracker for opportunities to contribute and get paid.
Sankey diagram of urllib3's funds flow in 2025¹
What’s next?
HTTP/2
In 2024, we started fundraising to bring HTTP/2 support to urllib3, setting a $50,000 goal. Unfortunately, we have not yet reached that target.
However, thanks to contributions from companies and individuals, we grew our Open Collective balance by around $8,000 this year, bringing our total available funds to $27,627.33.
While this does not fully cover our original estimate, it is a substantial starting point. We are looking for an experienced developer with proven expertise in HTTP specifications and the Python ecosystem to join our efforts. As this is a paid opportunity, candidates must be able to receive funds via Open Collective. If you have the skills to help us ship HTTP/2, we have the resources to begin supporting that work. Please reach out to us on Discord or email me directly at [email protected].
Want to speed up this effort?
If you cannot contribute code but want to see HTTP/2 support land sooner, becoming a Sponsor on GitHub or Open Collective helps us fund the dedicated development time needed to cross the finish line.
Looking Ahead
2025 was a year of transition, security hardening, and preparation for the future. As we move into 2026, our focus remains on maintaining the stability you expect while continuing the push for features like HTTP/2.
Whether you are one of the millions of users or one of the dozens of contributors, thank you for being part of urllib3 this year!
¹ The Sankey diagram was updated on January 24, 2026 to take into account new processor fees for 2025 transactions.