Incorrect control flow implementation in requests library (CVE-2024-35195) #shorts #breaking

CVE

In May 2024, a new vulnerability was reported in the popular Requests library, identified as CVE-2024-35195. This vulnerability stems from an incorrect control flow implementation within the library. Although no specific attacks have been reported yet, this flaw is significant as it affects all versions of the Requests library prior to 2.32.0. The main concern is that it allows potential attackers to bypass SSL certificate verification, posing serious security risks for users of the library. This vulnerability is particularly concerning for all users relying on the Requests library for secure HTTP communications.

Watch the full video on YouTube: CVE-2024-35195

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-35195
Description
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Provider
GitHub_M
CWE / problem types
CWE-670: Always-Incorrect Control Flow Implementation
Affected Software Versions
psf:requests:[{'version': '< 2.32.0', 'status': 'affected'}]
Date Published
2024-05-20T20:14:48.206Z
Last Updated
2025-02-13T17:52:32.002Z