Skip to content

[Cycode] Fix for vulnerable manifest file dependency - requests updated to version 2.32.0 #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cycode-security wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Cycode] Fix for vulnerable manifest file dependency - requests updated to version 2.32.0 #148

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion gitea/repositories/white-rabbit/docs/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-r ../dev-requirements.txt
sphinx>3.0.0
requests>=2,<2.16
requests==2.32.0

Check failure on line 3 in gitea/repositories/white-rabbit/docs/requirements.txt

View check run for this annotation

Cycode Security (EU) / Cycode: Vulnerable Dependencies

gitea/repositories/white-rabbit/docs/requirements.txt#L3 

Vulnerability found in dependency found

Check failure on line 3 in gitea/repositories/white-rabbit/docs/requirements.txt

View check run for this annotation

Cycode Security / Cycode: Vulnerable Dependencies

gitea/repositories/white-rabbit/docs/requirements.txt#L3 

Vulnerability found in dependency found

Check failure on line 3 in gitea/repositories/white-rabbit/docs/requirements.txt

View check run for this annotation

Cycode Security / Cycode: Vulnerable Dependencies

gitea/repositories/white-rabbit/docs/requirements.txt#L3 

Vulnerability found in dependency found

@cycode-security cycode-security Bot May 9, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity Medium
Issue Requests vulnerable to .netrc credentials leak via malicious URLs: CVE-2024-47081
Ecosystem PyPI
Dependency requests
Dependency Paths requests 2.32.0
Direct Dependency Yes
Upgrade 2.32.4

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

@cycode-security cycode-security Bot May 9, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerability found in newly introduced dependency.
Severity Medium
Issue Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function: CVE-2026-25645
Ecosystem PyPI
Dependency requests
Dependency Paths requests 2.32.0
Direct Dependency Yes
Upgrade 2.33.0

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

@cycode-security-eu cycode-security-eu Bot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Security vulnerabilities found in newly introduced dependency.
Ecosystem PyPI
Dependency requests
Dependency Paths requests 2.32.0
Direct Dependency Yes

The following vulnerabilities were introduced:

GHSA CVE Severity Fixed Version
GHSA-gc5v-m9x4-r6x2 CVE-2026-25645 MEDIUM 2.33.0
GHSA-9hjg-9r4m-mvj7 CVE-2024-47081 MEDIUM 2.32.4

Highest fixed version: 2.33.0

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_package_everywhere <reason> Applies to this manifest for this package for all requests in your repository
#cycode_ignore_manifest_here <reason> Applies to this manifest in this request only
#cycode_ignore_package_here <reason> Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

furo
sphinx-copybutton