GHSA-9wx4-h78v-vm56
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9wx4-h78v-vm56
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9wx4-h78v-vm56/GHSA-9wx4-h78v-vm56.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9wx4-h78v-vm56
- Aliases
- Related
- Published
- 2024-05-20T20:15:00Z
- Modified
- 2026-01-16T00:17:43.184646Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Requests `Session` object does not verify requests after making first request with verify=False
- Details
-
When using a
requests.Session, if the first request to a given origin is made withverify=False, TLS certificate verification may remain disabled for all subsequent requests to that origin, even ifverify=Trueis explicitly specified later.This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity.
This behavior affects versions of
requestsprior to 2.32.0. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2024-05-20T20:15:00Z", "severity": "MODERATE", "nvd_published_at": "2024-05-20T21:15:09Z", "cwe_ids": [ "CWE-670" ] }- References
-
- https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
- https://nvd.nist.gov/vuln/detail/CVE-2024-35195
- https://github.com/psf/requests/pull/6655
- https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
- https://github.com/psf/requests
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
Affected packages
PyPI / requests
Package
- Name
- requests
- View open source insights on deps.dev
- Purl
- pkg:pypi/requests
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.32.0
Affected versions
0.*
0.0.1
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.6
0.10.7
0.10.8
0.11.1
0.11.2
0.12.0
0.12.01
0.12.1
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.13.9
0.14.0
0.14.1
0.14.2
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
2.*
2.0.0
2.0.1
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.9.0
2.9.1
2.9.2
2.10.0
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.13.0
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.16.0
2.16.1
2.16.2
2.16.3
2.16.4
2.16.5
2.17.0
2.17.1
2.17.2
2.17.3
2.18.0
2.18.1
2.18.2
2.18.3
2.18.4
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.22.0
2.23.0
2.24.0
2.25.0
2.25.1
2.26.0
2.27.0
2.27.1
2.28.0
2.28.1
2.28.2
2.29.0
2.30.0
2.31.0