Requests is a widely used PyPI package. As of 2026-05-24, there are 13 known vulnerabilities in the OSV database. The latest stable version is 2.34.2. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (13)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2018-18074 | HIGH | 7.5 | 0 to 2.20.0 | 2.20.0 | Insufficiently Protected Credentials in Requests |
| CVE-2014-1830 | MODERATE | 5.0 | 0 to 2.3.0 | 2.3.0 | Exposure of Sensitive Information to an Unauthorized Actor in Requests |
| CVE-2024-47081 | MODERATE | 5.0 | 0 to 2.32.4 | 2.32.4 | Requests vulnerable to .netrc credentials leak via malicious URLs |
| CVE-2024-35195 | MODERATE | 5.0 | 0 to 2.32.0 | 2.32.0 | Requests `Session` object does not verify requests after making first request with verify=False |
| CVE-2014-1829 | MODERATE | 5.0 | 0 to 2.3.0 | 2.3.0 | Exposure of Sensitive Information to an Unauthorized Actor in Requests |
| CVE-2026-25645 | MODERATE | 5.0 | 0 to 2.33.0 | 2.33.0 | Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function |
| CVE-2023-32681 | MODERATE | 5.0 | 2.3.0 to 2.31.0 | 2.31.0 | Unintended leak of Proxy-Authorization header in requests |
| CVE-2015-2296 | MODERATE | 5.0 | 2.1.0 to 2.6.0 | 2.6.0 | Python Requests Session Fixation |
| CVE-2014-1829 | UNKNOWN | - | 0 to 2.3.0 | 2.3.0 | Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request. |
| CVE-2014-1830 | UNKNOWN | - | 0 to 2.3.0 | 2.3.0 | Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request. |
| CVE-2015-2296 | UNKNOWN | - | 0 to 3bd8afbff29e50b38f889b2f688785a669b9aafc; 2.1.0 to 2.6.0 | 3bd8afbff29e50b38f889b2f688785a669b9aafc | The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. |
| CVE-2018-18074 | UNKNOWN | - | 0 to c45d7c49ea75133e52ab22a8e9e13173938e36ff; 0 to 2.20.0 | c45d7c49ea75133e52ab22a8e9e13173938e36ff | The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to dis |
| CVE-2023-32681 | UNKNOWN | - | 0 to 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5; 2.3.0 to 2.31.0 | 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 | Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `re |
Security Recommendations
- Pin Requests to the latest stable version (2.34.2) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Requests safe to use?
Requests is actively maintained and widely used. As of 2026-05-24, there are 13 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Requests have?
The OSV database currently lists 13 vulnerabilities for Requests. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Requests to fix vulnerabilities?
Run pip install --upgrade requests to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with Requests?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Requests, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit