VulnerableCode Package Details - pkg:pypi/requests@2.32.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-stx3-z3wu-pbat Aliases: CVE-2024-47081 GHSA-9hjg-9r4m-mvj7	Requests vulnerable to .netrc credentials leak via malicious URLs ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2	2.32.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-stx3-z3wu-pbat
Aliases:
CVE-2024-47081
GHSA-9hjg-9r4m-mvj7

Requests vulnerable to .netrc credentials leak via malicious URLs ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2

2.32.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-duvn-u125-dqan	Requests `Session` object does not verify requests after making first request with verify=False When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of `requests` prior to 2.32.0.	CVE-2024-35195 GHSA-9wx4-h78v-vm56

Vulnerability

Summary

Aliases

VCID-duvn-u125-dqan

Requests `Session` object does not verify requests after making first request with verify=False When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of `requests` prior to 2.32.0.

CVE-2024-35195
GHSA-9wx4-h78v-vm56

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:50:11.978364+00:00	GitLab Importer	Affected by	VCID-stx3-z3wu-pbat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/requests/CVE-2024-47081.yml	38.3.0
2026-04-03T00:58:15.464661+00:00	GitLab Importer	Affected by	VCID-stx3-z3wu-pbat	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/requests/CVE-2024-47081.yml	38.1.0
2026-04-02T12:39:18.199599+00:00	GitLab Importer	Fixing	VCID-duvn-u125-dqan	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/requests/CVE-2024-35195.yml	38.0.0
2026-04-01T16:05:26.491045+00:00	GHSA Importer	Fixing	VCID-duvn-u125-dqan	https://github.com/advisories/GHSA-9wx4-h78v-vm56	38.0.0
2026-04-01T12:52:10.221895+00:00	GithubOSV Importer	Fixing	VCID-duvn-u125-dqan	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json	38.0.0