CVE-2023-32681

Unintended leak of Proxy-Authorization header in requests

Description

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.

Category

6.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 4.73% Top 15%
Vendor Advisory github.com
Affected: psf requests
Published at:
Updated at:

References

Link Tags
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q vendor advisory
https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 patch
https://github.com/psf/requests/releases/tag/v2.31.0 release notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/ third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ/
https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html
https://security.gentoo.org/glsa/202309-08

Frequently Asked Questions

What is the severity of CVE-2023-32681?
CVE-2023-32681 has been scored as a medium severity vulnerability.
How to fix CVE-2023-32681?
To fix CVE-2023-32681, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-32681 being actively exploited in the wild?
It is possible that CVE-2023-32681 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-32681?
CVE-2023-32681 affects psf requests.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.