CVE-2024-35195

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Published: May 20, 2024
Updated: May 4, 2025
CVE: CVE-2024-35195
GHSA: GHSA-9wx4-h78v-vm56
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

CWEs:

CWE-670

Affected Software
References

Software	From	Fixed in
requests	-	2.32.0

https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
https://github.com/psf/requests/pull/6655
https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/
https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/

Vulnerability Database

289,697

CVE-2024-35195