All requests CVEs — Complete Vulnerability History
requests is the most downloaded Python package — over 300 million weekly installs. Despite its massive usage, it has had relatively few CVEs, mostly related to credential exposure on redirect. Keep it at 2.31.0 or later.
PyPI
300M+ weekly downloads
3 CVEs total
CVE history — all 3 known vulnerabilities
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2014-1829 | 2014 | MEDIUM | Proxy-Authorization header sent to redirected host | Fixed in 2.3.0 |
| CVE-2018-18074 | 2018 | MEDIUM | HTTP header injection via craft Redirect URL | Fixed in 2.20.0 |
| CVE-2023-32681 | 2023 | MEDIUM | Proxy credential leak via HTTPS→HTTP redirect | Fixed in 2.31.0 |
Current safe version
✓ Update to 2.31.0
The latest safe version addresses all 3 known CVEs listed above.
Before and after
Vulnerable:
requests==2.25.1
Fixed:
requests==2.31.0
Then run: pip install -r requirements.txt
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does requests have so few CVEs despite 300M weekly downloads?
requests does one thing and does it well — it's a thin wrapper around urllib3. The simplicity reduces attack surface. Most HTTP-related CVEs in Python apps come from urllib3 or the application's own URL handling, not requests itself.
Does CVE-2023-32681 affect me if I don't use a proxy?
No — this CVE only affects apps using proxy authentication. If you don't set proxies in requests, your exposure is zero. Still worth updating since 2.31.0 has no breaking changes.
What's the difference between requests CVEs and urllib3 CVEs?
requests uses urllib3 internally. CVEs in urllib3 affect requests transitively. CVE-2023-45803 (urllib3 credential leak) and CVE-2021-33503 (urllib3 ReDoS) are worth checking separately. PackageFix scans both when you paste your requirements.txt.
Should I switch from requests to httpx?
httpx is a modern alternative with async support and HTTP/2. It doesn't have requests' CVE history issues, but it's a larger migration. For new projects, httpx is worth evaluating. For existing projects, requests 2.31.0 is fine.