Python Requests vulnerabilities

CVE-2026-25645 [MEDIUM] CWE-377 CVE-2026-25645: Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` uti Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could p

CVE-2024-47081 [MEDIUM] CWE-522 Requests vulnerable to .netrc credentials leak via malicious URLs Requests vulnerable to .netrc credentials leak via malicious URLs ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/e

CVE-2024-35195 [MEDIUM] CWE-670 Requests `Session` object does not verify requests after making first request with verify=False Requests `Session` object does not verify requests after making first request with verify=False When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the und

CVE-2023-32681 [MEDIUM] CWE-200 CVE-2023-32681: Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization head Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the head

CVE-2018-18074 [HIGH] CWE-522 CVE-2018-18074: The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

CVE-2015-2296 [MEDIUM] CVE-2015-2296: The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attacker The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

CVE-2014-1829 [MEDIUM] CWE-200 CVE-2014-1829: Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by read Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.

CVE-2014-1830 [MEDIUM] CWE-200 CVE-2014-1830: Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.