CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-35195: Requests `Session` object does not verify requests after making first request with verify=False

5.6 CVSS

Description

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Classification

CVE ID: CVE-2024-35195

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.6

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Affected Products

Vendor: psf

Product: requests

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
https://github.com/psf/requests/pull/6655
https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/
https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/

Timeline

2025-02-14 00:32:10 UTC
CVE

Requests `Session` object does not verify requests after making first request with verify=False