{"api_version":"1","generated_at":"2026-04-22T19:36:53+00:00","cve":"CVE-2023-32681","urls":{"html":"https://cve.report/CVE-2023-32681","api":"https://cve.report/api/cve/CVE-2023-32681.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-32681","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-32681"},"summary":{"title":"CVE-2023-32681","description":"Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-05-26 18:15:00","updated_at":"2023-09-17 09:15:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5","name":"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-j8r2-6x86-q33q · psf/requests@74ea7cf · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: python-requests-2.28.1-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/psf/requests/releases/tag/v2.31.0","name":"https://github.com/psf/requests/releases/tag/v2.31.0","refsource":"MISC","tags":[],"title":"Release v2.31.0 · psf/requests · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html","name":"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3456-1] requests security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q","name":"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q","refsource":"MISC","tags":[],"title":"Unintended leak of Proxy-Authorization header · Advisory · psf/requests · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: mingw-python-requests-2.31.0-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202309-08","name":"https://security.gentoo.org/glsa/202309-08","refsource":"MISC","tags":[],"title":"Requests: Information Leak (GLSA 202309-08) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-32681","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32681","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"32681","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"32681","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"requests","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-32681","qid":"160831","title":"Oracle Enterprise Linux Security Update for python-requests (ELSA-2023-4350)"},{"cve":"CVE-2023-32681","qid":"160861","title":"Oracle Enterprise Linux Security Update for python-requests (ELSA-2023-4520)"},{"cve":"CVE-2023-32681","qid":"161146","title":"Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2023-7034)"},{"cve":"CVE-2023-32681","qid":"161154","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2023-7042)"},{"cve":"CVE-2023-32681","qid":"161165","title":"Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2023-7050)"},{"cve":"CVE-2023-32681","qid":"181876","title":"Debian Security Update for requests (DLA 3456-1)"},{"cve":"CVE-2023-32681","qid":"199408","title":"Ubuntu Security Notification for Requests Vulnerability (USN-6155-1)"},{"cve":"CVE-2023-32681","qid":"199579","title":"Ubuntu Security Notification for Requests Vulnerability (USN-6155-2)"},{"cve":"CVE-2023-32681","qid":"241889","title":"Red Hat Update for python-requests (RHSA-2023:4350)"},{"cve":"CVE-2023-32681","qid":"241928","title":"Red Hat Update for python-requests (RHSA-2023:4520)"},{"cve":"CVE-2023-32681","qid":"242344","title":"Red Hat Update for rh-python38-python (RHSA-2023:6793)"},{"cve":"CVE-2023-32681","qid":"242347","title":"Red Hat Update for Satellite 6.14 (RHSA-2023:6818)"},{"cve":"CVE-2023-32681","qid":"242414","title":"Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:7034)"},{"cve":"CVE-2023-32681","qid":"242431","title":"Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2023:7050)"},{"cve":"CVE-2023-32681","qid":"242436","title":"Red Hat Update for python27:2.7 (RHSA-2023:7042)"},{"cve":"CVE-2023-32681","qid":"242722","title":"Red Hat Update for python-requests (RHSA-2024:0299)"},{"cve":"CVE-2023-32681","qid":"283999","title":"Fedora Security Update for python (FEDORA-2023-078e257f1c)"},{"cve":"CVE-2023-32681","qid":"284096","title":"Fedora Security Update for mingw (FEDORA-2023-f3824383be)"},{"cve":"CVE-2023-32681","qid":"284106","title":"Fedora Security Update for python (FEDORA-2023-521ebb9cbb)"},{"cve":"CVE-2023-32681","qid":"355605","title":"Amazon Linux Security Advisory for python3-requests : ALAS2-2023-2111"},{"cve":"CVE-2023-32681","qid":"355612","title":"Amazon Linux Security Advisory for python-requests : ALAS2-2023-2110"},{"cve":"CVE-2023-32681","qid":"355638","title":"Amazon Linux Security Advisory for python-requests : ALAS2023-2023-236"},{"cve":"CVE-2023-32681","qid":"673269","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-2626)"},{"cve":"CVE-2023-32681","qid":"673284","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-2596)"},{"cve":"CVE-2023-32681","qid":"673286","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2597)"},{"cve":"CVE-2023-32681","qid":"673305","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2627)"},{"cve":"CVE-2023-32681","qid":"673358","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2665)"},{"cve":"CVE-2023-32681","qid":"673414","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2822)"},{"cve":"CVE-2023-32681","qid":"673428","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-2821)"},{"cve":"CVE-2023-32681","qid":"673541","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-3151)"},{"cve":"CVE-2023-32681","qid":"673625","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2707)"},{"cve":"CVE-2023-32681","qid":"673813","title":"EulerOS Security Update for python-pip (EulerOS-SA-2023-2797)"},{"cve":"CVE-2023-32681","qid":"673854","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-3152)"},{"cve":"CVE-2023-32681","qid":"673967","title":"EulerOS Security Update for python-requests (EulerOS-SA-2023-2798)"},{"cve":"CVE-2023-32681","qid":"710749","title":"Gentoo Linux Requests Information Leak Vulnerability (GLSA 202309-08)"},{"cve":"CVE-2023-32681","qid":"754188","title":"SUSE Enterprise Linux Security Update for python-requests (SUSE-SU-2023:2866-1)"},{"cve":"CVE-2023-32681","qid":"754189","title":"SUSE Enterprise Linux Security Update for python-requests (SUSE-SU-2023:2865-1)"},{"cve":"CVE-2023-32681","qid":"754230","title":"SUSE Enterprise Linux Security Update for python-requests (SUSE-SU-2023:3094-1)"},{"cve":"CVE-2023-32681","qid":"755886","title":"SUSE Enterprise Linux Security Update for python-requests (SUSE-SU-2023:2638-1)"},{"cve":"CVE-2023-32681","qid":"755887","title":"SUSE Enterprise Linux Security Update for python3-requests (SUSE-SU-2023:2883-1)"},{"cve":"CVE-2023-32681","qid":"907016","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-requests (26963-1)"},{"cve":"CVE-2023-32681","qid":"907030","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python-requests (26985-1)"},{"cve":"CVE-2023-32681","qid":"941199","title":"AlmaLinux Security Update for python-requests (ALSA-2023:4350)"},{"cve":"CVE-2023-32681","qid":"941219","title":"AlmaLinux Security Update for python-requests (ALSA-2023:4520)"},{"cve":"CVE-2023-32681","qid":"941465","title":"AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2023:7050)"},{"cve":"CVE-2023-32681","qid":"941467","title":"AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2023:7034)"},{"cve":"CVE-2023-32681","qid":"941480","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2023:7042)"},{"cve":"CVE-2023-32681","qid":"961065","title":"Rocky Linux Security Update for Satellite (RLSA-2023:6818)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-32681","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"psf","product":{"product_data":[{"product_name":"requests","version":{"version_data":[{"version_affected":"=","version_value":">= 2.3.0, < 2.31.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q","refsource":"MISC","name":"https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q"},{"url":"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5","refsource":"MISC","name":"https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5"},{"url":"https://github.com/psf/requests/releases/tag/v2.31.0","refsource":"MISC","name":"https://github.com/psf/requests/releases/tag/v2.31.0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html"},{"url":"https://security.gentoo.org/glsa/202309-08","refsource":"MISC","name":"https://security.gentoo.org/glsa/202309-08"}]},"source":{"advisory":"GHSA-j8r2-6x86-q33q","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-05-26 18:15:00","lastModifiedDate":"2023-09-17 09:15:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.6,"impactScore":4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.0","versionEndExcluding":"2.31.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}