urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.Users **must** handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the `Cookie` header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.## Affected usagesWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:* Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)* Using the `Cookie` header on requests, which is mostly typical for impersonating a browser.* Not disabling HTTP redirects* Either not using HTTPS or for the origin server to redirect to a malicious origin.## Remediation* Upgrading to at least urllib3 v1.26.17 or v2.0.6* Disabling HTTP redirects using `redirects=False` when sending requests.* Not using the `Cookie` header.