httpx 0.24.1 requires httpcore>=0.17.0 and h11>=0.13,<0.15. If pip-audit flags h11, update httpx to 0.27.0+ which uses h11 0.16.0+ fixing HTTP smuggling.
Latest safe version: httpx 0.27.2+ - use pip install httpx --upgrade
All httpx CVEs — Complete Vulnerability History
Last updated: April 1, 2026 · Data: OSV Database
httpx is Python's modern HTTP client with async support. The main CVE is a redirect that downgrades from HTTPS to HTTP, potentially exposing credentials.
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-47641 | 2023 | MEDIUM | URL redirect via HTTPS to HTTP downgrade | Fixed 0.27.0 |
Current safe version: 0.27.0
# Before httpx==0.24.0
# After httpx==0.27.0
Then run: pip install -r requirements.txt
httpx CVEs and safe versions
httpx is a modern async HTTP client for Python. Its CVE history is limited but it inherits vulnerabilities from its dependencies: httpcore, certifi, and h11. Always check the full dependency tree when pip-audit flags httpx.
Known httpx vulnerabilities
| CVE | Severity | Description | Safe Version |
|---|---|---|---|
| CVE-2021-41945 | HIGH | CRLF injection via crafted URL | 0.23.0+ |
| h11 CVE-2025-43859 | MED | HTTP request smuggling via h11 | httpx 0.27.0+ |
Fix httpx vulnerabilities
# Update httpx and its core dependencies pip install httpx --upgrade # Pin in requirements.txt httpx>=0.27.0 h11>=0.16.0 httpcore>=1.0.5 pip install -r requirements.txt # Verify installed versions pip show httpx h11 httpcore | grep -E "Name:|Version:"
httpx vs requests — security comparison
httpx has a cleaner CVE history than requests (which has CVE-2023-32681 for SSRF). If you are migrating from requests to httpx for async support, pin httpx 0.27.0+ and h11 0.16.0+ to avoid the HTTP smuggling issue.
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser