GCVE - cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Python (`b57ad93a-6195-5192-9423-6cfad6044a8b`)
Product	Requests (`5da67128-09f0-59b9-a00e-1e6663a3465d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/requests`	purl2cpe	2026-06-01 10:16:27.971160
`pkg:deb/ubuntu/requests`	purl2cpe	2026-06-01 10:16:27.971163
`pkg:github/psf/requests`	purl2cpe	2026-06-01 10:16:27.971166
`pkg:gitlab/gitlab-org/requests`	purl2cpe	2026-06-01 10:16:27.971169
`pkg:gitlab/kalilinux/requests`	purl2cpe	2026-06-01 10:16:27.971172
`pkg:pypi/requests`	purl2cpe	2026-06-01 10:16:27.971175
`pkg:rpm/fedora/python-requests`	purl2cpe	2026-06-01 10:16:27.971177
`pkg:rpm/opensuse/python-requests`	purl2cpe	2026-06-01 10:16:27.971180

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-25645`	vulnerable	2026-06-03 15:18:03.794637	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function MEDIUM (4.4) Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. Published: 2026-03-25T17:02:48.402Z Updated: 2026-03-25T22:48:33.406Z Open on db.gcve.eu Reference links https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2 https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7 https://github.com/psf/requests/releases/tag/v2.33.0	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-32681`	vulnerable	2026-06-03 14:51:59.750565	Unintended leak of Proxy-Authorization header in requests MEDIUM (6.1) Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0. Published: 2023-05-26T17:02:52.899Z Updated: 2025-02-13T16:54:56.639Z Open on db.gcve.eu Reference links https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 https://github.com/psf/requests/releases/tag/v2.31.0 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-18074`	vulnerable	2026-06-03 14:38:22.484229	Details available The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. Published: 2018-10-09T15:00:00.000Z Updated: 2024-08-05T11:01:14.951Z Open on db.gcve.eu Reference links https://usn.ubuntu.com/3790-1/ https://usn.ubuntu.com/3790-2/ http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00024.html https://access.redhat.com/errata/RHSA-2019:2035 https://www.oracle.com/security-alerts/cpujul2022.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1830`	vulnerable	2026-06-03 14:33:48.627847	Details available Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request. Published: 2014-10-15T14:00:00.000Z Updated: 2024-08-06T09:50:11.480Z Open on db.gcve.eu Reference links https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://lists.opensuse.org/opensuse-updates/2016-01/msg00095.html https://github.com/kennethreitz/requests/issues/1885 http://www.debian.org/security/2015/dsa-3146	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-1829`	vulnerable	2026-06-03 14:33:48.626454	Details available Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request. Published: 2014-10-15T14:00:00.000Z Updated: 2024-08-06T09:50:11.165Z Open on db.gcve.eu Reference links https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733108 http://www.mandriva.com/security/advisories?name=MDVSA-2015:133 http://www.ubuntu.com/usn/USN-2382-1 https://github.com/kennethreitz/requests/issues/1885 http://www.debian.org/security/2015/dsa-3146	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.