Minor requests: Always-Incorrect Control Flow Implementation
Introduced through
mkdocs-mermaid2-plugin@0.5.2Fixed in
requests@2.32.2
Detailed paths and remediation
Introduced through: project@0.0.0 › mkdocs-mermaid2-plugin@0.5.2 › requests@2.31.0
Fix: Pin requests to version 2.32.2
Security information
Factors contributing to the scoring: * Snyk: CVSS 5.6 - Medium Severity
- NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation when making requests through a Requests Session. An attacker can bypass certificate verification by making the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of changes to the verify value.
Notes:
- For requests <2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.
- For requests <2.32.0, call close() on Session objects to clear existing connections if verify=False is used.
- This vulnerability was initially fixed in version 2.32.0, which was yanked. Therefore, the next available fixed version is 2.32.2.
