CVE-2024-35195: Requests `Session` object does not verify requests after making first request with verify=False

May 20, 2024

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

References

github.com/advisories/GHSA-9wx4-h78v-vm56
github.com/psf/requests
github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
github.com/psf/requests/pull/6655
github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
nvd.nist.gov/vuln/detail/CVE-2024-35195

Code Behaviors & Features

Detect and mitigate CVE-2024-35195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →