CVE-2024-35195 MEDIUM

CVE-2024-35195: Requests `Session` object does not verify requests after making first request with verify=False

Vendor Psf
Product requests
Weakness CWE-670
Published May 20, 2024
Last update July 31, 2025

CVSS base score

5.6/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Key dates

02Disclosure timeline

May 20, 2024 CVE published
July 31, 2025 Record updated