Skip to content

requests-2.31.0-py3-none-any.whl: 3 vulnerabilities (highest severity is: 5.6) #42

New issue
New issue
Open
Open
requests-2.31.0-py3-none-any.whl: 3 vulnerabilities (highest severity is: 5.6)#42
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Mar 10, 2025
Vulnerable Library - requests-2.31.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250310102549_CEIAPM/python_AHZQLM/202503101025511/env/lib/python3.9/site-packages/requests-2.31.0.dist-info

Found in HEAD commit: e3b0e2be745dfd07614a7e51efdf740233a4e627

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (requests version) Remediation Possible**
CVE-2024-35195 Medium 5.6 requests-2.31.0-py3-none-any.whl Direct 2.32.0
CVE-2024-47081 Medium 5.3 requests-2.31.0-py3-none-any.whl Direct 2.32.4
CVE-2026-25645 Medium 4.4 requests-2.31.0-py3-none-any.whl Direct https://github.com/psf/requests.git - v2.33.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-35195

Vulnerable Library - requests-2.31.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250310102549_CEIAPM/python_AHZQLM/202503101025511/env/lib/python3.9/site-packages/requests-2.31.0.dist-info

Dependency Hierarchy:

  • requests-2.31.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e3b0e2be745dfd07614a7e51efdf740233a4e627

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests "Session", if the first request is made with "verify=False" to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of "verify". This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-05-20

URL: CVE-2024-35195

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wx4-h78v-vm56

Release Date: 2024-05-20

Fix Resolution: 2.32.0

Step up your Open Source Security Game with Mend here

CVE-2024-47081

Vulnerable Library - requests-2.31.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250310102549_CEIAPM/python_AHZQLM/202503101025511/env/lib/python3.9/site-packages/requests-2.31.0.dist-info

Dependency Hierarchy:

  • requests-2.31.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e3b0e2be745dfd07614a7e51efdf740233a4e627

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-09

URL: CVE-2024-47081

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9hjg-9r4m-mvj7

Release Date: 2025-06-09

Fix Resolution: 2.32.4

Step up your Open Source Security Game with Mend here

CVE-2026-25645

Vulnerable Library - requests-2.31.0-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250310102549_CEIAPM/python_AHZQLM/202503101025511/env/lib/python3.9/site-packages/requests-2.31.0.dist-info

Dependency Hierarchy:

  • requests-2.31.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: e3b0e2be745dfd07614a7e51efdf740233a4e627

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.

Publish Date: 2026-03-25

URL: CVE-2026-25645

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/psf/requests.git - v2.33.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions