CVE-2023-32681 — requests Proxy Credential Leak MEDIUM
🔴 CISA KEV
pypi
CVSS 6.1 · requests < 2.31.0 → 2.31.0
The Python requests library leaks Proxy-Authorization headers when following HTTP redirects from HTTPS to HTTP. Any application using requests with proxy authentication and following redirects could expose proxy credentials to the redirect destination.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| requests | pypi | < 2.31.0 | 2.31.0 | Full fix guide → |
How to fix CVE-2023-32681
- Update requests to 2.31.0
- Run pip install -r requirements.txt
- Review any code that uses proxies with requests and follows redirects
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-32681 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
Who is affected by CVE-2023-32681?
Applications using requests with proxy authentication (Proxy-Authorization header) that also follow HTTP redirects. If you don't use proxy authentication, you are not affected.
Is requests widely used?
requests is one of the most downloaded Python packages — over 300 million downloads per month. Even a MEDIUM severity CVE affects a massive surface area.
What's the fix?
Update to requests 2.31.0. The fix strips Proxy-Authorization headers on redirect to different hosts.