Search for packages
| purl | pkg:pypi/requests@0.13.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1mw1-384y-huc7
Aliases: CVE-2013-2099 |
Uncontrolled Resource Consumption Algorithmic complexity vulnerability in the `ssl.match_hostname` function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-4uhh-qs7z-bffx
Aliases: CVE-2014-1830 GHSA-652x-xj99-gmcc PYSEC-2014-14 |
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request. |
Affected by 5 other vulnerabilities. |
|
VCID-duvn-u125-dqan
Aliases: CVE-2024-35195 GHSA-9wx4-h78v-vm56 |
Requests `Session` object does not verify requests after making first request with verify=False When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of `requests` prior to 2.32.0. |
Affected by 1 other vulnerability. |
|
VCID-jgyy-eapg-f7c3
Aliases: CVE-2014-1829 GHSA-cfj3-7x9c-4p3h PYSEC-2014-13 |
Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request. |
Affected by 5 other vulnerabilities. |
|
VCID-pd4x-3cee-t7g3
Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28 |
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
Affected by 3 other vulnerabilities. |
|
VCID-stx3-z3wu-pbat
Aliases: CVE-2024-47081 GHSA-9hjg-9r4m-mvj7 |
Requests vulnerable to .netrc credentials leak via malicious URLs ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||