Requests

This hub aggregates every CVE we track for Requests, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Requests.

• CVE-2026-25645Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function4.4Mar 25, 2026
• CVE-2024-47081Requests vulnerable to .netrc credentials leak via malicious URLs5.3Jun 9, 2025
• CVE-2024-35195Requests `Session` object does not verify requests after making first request with verify=False5.6May 20, 2024
• CVE-2023-32681Unintended leak of Proxy-Authorization header in requests6.1May 26, 2023
• CVE-2022-34782An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.4.3Jun 30, 2022
• CVE-2021-21676Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specifie...4.3Jun 30, 2021
• CVE-2021-21675A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.6.5Jun 30, 2021
• CVE-2021-21674A missing permission check in Jenkins requests-plugin Plugin 2.2.6 and earlier allows attackers with Overall/Read permission to view the list of pending requests.4.3Jun 30, 2021
• CVE-2021-29476Insecure Deserialization of untrusted data in rmccue/requests9.8Apr 27, 2021
• CVE-2018-18074The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to ...7.5Oct 9, 2018
• CVE-2015-2296The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.6.8Mar 18, 2015
• CVE-2014-1830Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.5.0Oct 15, 2014
• CVE-2014-1829Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.5.0Oct 15, 2014