requests is vulnerable to Server-Side Request Forgery (SSRF)
59
Medium Risk
The should_bypass_proxies logic in requests matches a request host against no_proxy entries using an unanchored suffix comparison. Because the check is greedy and ignores domain boundaries, a host such as evilexample.com is treated as covered by a no_proxy value of example.com. An attacker who controls or influences such a look-alike host can make the client skip the configured proxy and connect directly, bypassing proxy-based egress controls and SSRF protections that rely on no_proxy. The fix ports CPython's bpo-39057 change to constrain no_proxy matching to proper domain boundaries.
You are affected if you are using a version that falls within the vulnerable range and rely on no_proxy/NO_PROXY rules to control which hosts bypass the configured proxy.
requests is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.0.0 - 2.33.1.
Upgrade the requests library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant