requests Proxy-Authorization leak (pip, <2.31.0)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags an exact requirements.txt pin of requests below 2.31.0, before CVE-2023-32681 fixed a Proxy-Authorization header leak across redirects to a different host.
Why it matters
requests before 2.31.0 leaks the Proxy-Authorization header to the final destination host when a proxied request is redirected to a different host than originally requested (CVE-2023-32681). If your app or a dependency uses requests with an authenticated proxy, that proxy credential can end up sent to a host you never intended, an information-disclosure risk rather than remote code execution, but a real credential leak in specific but not uncommon configurations. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Upgrade requests to 2.31.0 or later. This is a drop-in upgrade with no API changes for the vast majority of callers.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo