Homepage

treq@17.7.0 vulnerabilities

High-level Twisted HTTP Client API

  • latest version

    24.9.1

  • latest non vulnerable version

    24.9.1

  • first published

    12 years ago

  • latest version published

    5 months ago

  • licenses detected

  • View treq package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the treq package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Information Exposure

    treq is a High-level Twisted HTTP Client API

    Affected versions of this package are vulnerable to Information Exposure when Treq's request methods (treq.get, treq.post, HTTPClient.request, HTTPClient.get, etc.) accept cookies as a dictionary,

    Such cookies are not bound to a single domain and are therefore sent to every domain ("supercookies"). This can potentially cause sensitive information to leak upon an HTTP redirect to a different domain., e.g. should https://example.com redirect to http://cloudstorageprovider.com the latter will receive the cookie session.

    How to fix Information Exposure?

    Upgrade treq to version 22.1.0 or higher.

    [,22.1.0)
    Go back to all versions of this package