requests@0.13.6 vulnerabilities

Python HTTP for Humans.

latest version

2.32.3
latest non vulnerable version

2.32.3
first published

14 years ago
latest version published

6 months ago
licenses detected
- ISC
  [0.0.1,1.0.0)
View requests package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the requests package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Always-Incorrect Control Flow Implementation Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests `Session`. An attacker can bypass certificate verification by making the first request with `verify=False`, causing all subsequent requests to ignore certificate verification regardless of changes to the `verify` value. Notes: For requests <2.32.0, avoid setting `verify=False` for the first request to a host while using a Requests Session. For requests <2.32.0, call `close()` on Session objects to clear existing connections if `verify=False` is used. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2. How to fix Always-Incorrect Control Flow Implementation? Upgrade `requests` to version 2.32.2 or higher.	[,2.32.2)
C Information Exposure Requests is a Non-GMO HTTP library for Python Affected versions of this package are vulnerable to Information Exposure. Upon receiving a same-hostname https-to-http redirect, it sends the HTTP Authorization header to an http URI. This makes it easier for remote attackers to discover credentials by sniffing the network. How to fix Information Exposure? Upgrade `request` to version 2.20 or higher.	[,2.20)
M Information Exposure `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Information Disclosure attacks. Remote servers may obtain sensitive information by reading the `Proxy-Authorization` header in a redirected request. How to fix Information Exposure? Upgrade to version `2.3.0` or greater.	[,2.3.0)
M Information Exposure `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Information Exposure. Remote servers may obtain a netrc password by reading the Authorization header in a redirected request. How to fix Information Exposure? Upgrade to version `2.3.0` or greater.	[,2.3.0)
M Denial of Service (DoS) `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Denial of Service attacks. Algorithmic complexity vulnerability in the `ssl.match_hostname` function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of `python-backports-ssl_match_hostname` as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. How to fix Denial of Service (DoS)? Upgrade to version `1.1.0` or greater.	[,1.1.0)
M Denial of Service (DoS) `requests` is a Python HTTP for Humans. Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. When sending a digest with an incorrect password, it will retry the request for infinity. An attacker can send many of these requests, causing a denial of service.	[,1.2.3]

Go back to all versions of this package

requests@0.13.6 vulnerabilities

Python HTTP for Humans.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities