Vulnerability in requests==2.31.0

[JoseAmaral436]

Hello team,

Snyk has reported a vulnerability with requests==2.31.0 that is fixed in requests>=2.32

Is it possible to upgrade this requirement?

Thanks in advance,
José Amaral

[mdmintz]

False positive for several reasons:

• No known exploits. / Can't be exploited.
• requests 2.31.0 was the latest release for a full year (and couldn't be exploited).
• The CVE describes a specific case: Using requests.Session(verify=False), which isn't used.
• Local only with high privileges required (meaning it can't be exploited by an attacker who isn't an admin user already, who would already have the permissions to do absolutely anything with Python already):

All current versions of requests after 2.31.0 are currently in worse shape: (2.32.3 is the current latest)

• 2.32.0: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history
• 2.32.1: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history
• 2.32.2: SSLV3_ALERT_HANDSHAKE_FAILURE after upgrade from 2.31.0 to 2.32.2 psf/requests#6715
• 2.32.3: Multiple concurrent client certs broken with v2.32.3 psf/requests#6726

Hoping for a newer version of requests soon that fixes that. Currently 2.31.0 is the best version to have.

Your vulnerability scanning tool (Snyk) has a major vulnerability in that it can recommend upgrading to a newer release of a Python library that is in worse shape than an earlier version. I recommend remediation. GitHub's own security tools are currently quite good for that: https://docs.github.com/en/code-security