Search for packages
| purl | pkg:pypi/requests@2.6.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a3cx-5ju5-27ez
Aliases: CVE-2023-32681 GHSA-j8r2-6x86-q33q PYSEC-2023-74 |
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0. |
Affected by 2 other vulnerabilities. |
|
VCID-duvn-u125-dqan
Aliases: CVE-2024-35195 GHSA-9wx4-h78v-vm56 |
Requests `Session` object does not verify requests after making first request with verify=False When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of `requests` prior to 2.32.0. |
Affected by 1 other vulnerability. |
|
VCID-pd4x-3cee-t7g3
Aliases: CVE-2018-18074 GHSA-x84v-xcm2-53pg PYSEC-2018-28 |
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. |
Affected by 3 other vulnerabilities. |
|
VCID-stx3-z3wu-pbat
Aliases: CVE-2024-47081 GHSA-9hjg-9r4m-mvj7 |
Requests vulnerable to .netrc credentials leak via malicious URLs ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||