Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (requests version) |
Remediation Possible** |
| CVE-2024-35195 |
 Medium |
5.6 |
requests-2.31.0-py3-none-any.whl |
Direct |
2.32.0 |
✅ |
| CVE-2024-47081 |
Medium |
5.3 |
requests-2.31.0-py3-none-any.whl |
Direct |
2.32.4 |
✅ |
| CVE-2026-25645 |
Medium |
4.4 |
requests-2.31.0-py3-none-any.whl |
Direct |
N/A |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-35195
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
- ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests "Session", if the first request is made with "verify=False" to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of "verify". This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-05-20
URL: CVE-2024-35195
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: 2.32.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-47081
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
- ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution: 2.32.4
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-25645
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
- ❌ requests-2.31.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the function "requests.utils.extract_zipped_paths()" (which is used by "HTTPAdapter.cert_verify()" to load the CA bundle, often from the "certifi" package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., "cacert.pem") when attempting to extract files into the system's temporary directory ("/tmp"). The vulnerable logic performs a check to see if the target file already exists in "/tmp" and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., "/tmp/cacert.pem") before a vulnerable application (running with potentially higher privileges) initializes the "requests" library. Version 2.33.0 contains a patch.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
⛑️Automatic Remediation will be attempted for this issue.
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests "Session", if the first request is made with "verify=False" to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of "verify". This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-05-20
URL: CVE-2024-35195
CVSS 3 Score Details (5.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9wx4-h78v-vm56
Release Date: 2024-05-20
Fix Resolution: 2.32.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution: 2.32.4
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - requests-2.31.0-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260201143433_TSAEWI/python_OQBSXL/202602011434341/env/lib/python3.9/site-packages/requests-2.31.0.dist-info
Dependency Hierarchy:
Found in HEAD commit: 5479a8c1bb616465c01b99236371eceefb6a84fc
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the function "requests.utils.extract_zipped_paths()" (which is used by "HTTPAdapter.cert_verify()" to load the CA bundle, often from the "certifi" package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., "cacert.pem") when attempting to extract files into the system's temporary directory ("/tmp"). The vulnerable logic performs a check to see if the target file already exists in "/tmp" and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., "/tmp/cacert.pem") before a vulnerable application (running with potentially higher privileges) initializes the "requests" library. Version 2.33.0 contains a patch.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.⛑️Automatic Remediation will be attempted for this issue.