requests@2.32.0 vulnerabilities

Python HTTP for Humans.

Direct Vulnerabilities

Known vulnerabilities in the requests package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Always-Incorrect Control Flow Implementation

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Notes:

  1. For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.

  2. For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

  3. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.

How to fix Always-Incorrect Control Flow Implementation?

Upgrade requests to version 2.32.2 or higher.

[,2.32.2)