Vulnerable Library - hvac-2.3.0-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (hvac version) |
Remediation Possible** |
| CVE-2024-47081 |
 Medium |
5.3 |
requests-2.32.3-py3-none-any.whl |
Transitive |
2.4.0 |
❌ |
| CVE-2026-25645 |
Medium |
4.4 |
requests-2.32.3-py3-none-any.whl |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-47081
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
- hvac-2.3.0-py3-none-any.whl (Root Library)
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (hvac): 2.4.0
Step up your Open Source Security Game with Mend here
CVE-2026-25645
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
- hvac-2.3.0-py3-none-any.whl (Root Library)
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (hvac): 2.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730131321/.ws-temp-MPQIJO-requirements.txt,/tmp/ws-ua_20240730130235_KVVOZT/cmd_NQQTWK/20240730130652/.ws-temp-PDFBNV-requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
Step up your Open Source Security Game with Mend here