CVE-2023-32681

Name of the Vulnerable Software and Affected Versions Requests versions 2.3.0 through 2.30.0

Description The issue is related to the leaking of Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This occurs due to how the rebuild proxies function is used to reattach the Proxy-Authorization header to requests. For HTTP connections sent through the tunnel, the proxy identifies the header in the request itself and removes it prior to forwarding to the destination server. However, when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information.

Recommendations For versions 2.3.0 through 2.30.0, update to version 2.31.0 to resolve the issue. As a temporary workaround for users who are not able to update Requests immediately, consider disabling redirects by setting allow redirects to False on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.