CVE-2018-18074 in Requests Package
Summary
by MITRE
The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability described in CVE-2018-18074 represents a critical security flaw in the Python Requests library that persisted through version 2.19.1 and was addressed in September 2018. This issue stems from the library's handling of HTTP redirects, specifically when transitioning from secure HTTPS connections to insecure HTTP connections while maintaining the same hostname. The flaw creates an unexpected behavior where authentication credentials that were originally sent to an HTTPS endpoint are automatically forwarded to the subsequent HTTP endpoint during the redirect process.
The technical implementation of this vulnerability involves the Requests library's redirect handling mechanism failing to properly sanitize or strip authentication headers when processing redirects between protocols. When a server responds to an HTTPS request with a redirect to an HTTP URI on the same hostname, the library incorrectly preserves and forwards the Authorization header from the original request. This behavior violates fundamental security principles of protocol isolation and credential handling, as it effectively exposes authentication tokens and credentials that should remain protected within the secure HTTPS context.
From an operational perspective, this vulnerability creates significant risk for network traffic interception and credential theft. Attackers with network access or man-in-the-middle capabilities can easily capture authentication credentials by monitoring network traffic during the redirect process. The vulnerability is particularly dangerous because it operates silently without requiring any special conditions or user interaction, making it an ideal target for automated credential harvesting attacks. The exposure occurs during what should be a secure HTTPS transaction that transitions to an insecure HTTP connection, creating a window where sensitive information becomes vulnerable to network sniffing.
The security implications align with CWE-306, which addresses "Missing Authentication for Critical Function," and also relates to ATT&CK technique T1046 for network sniffing and credential harvesting. Organizations using vulnerable versions of the Requests library face increased risk of authentication bypass attacks, session hijacking, and credential exposure in environments where HTTPS-to-HTTP redirects occur. The vulnerability demonstrates a failure in proper protocol boundary enforcement and credential management within the HTTP client library, creating an unexpected information disclosure channel that undermines the security assumptions of HTTPS encryption.
Mitigation strategies for this vulnerability include updating to version 2.19.2 or later of the Requests library where the fix has been implemented. Organizations should also review their network configurations to minimize or eliminate HTTPS-to-HTTP redirects, implement proper network monitoring to detect unusual redirect patterns, and consider deploying additional security controls such as HTTPS enforcement mechanisms and credential scanning tools. The fix in the updated library properly handles the redirect scenario by ensuring that authentication headers are not forwarded across protocol boundaries, thereby maintaining the security isolation that users expect from HTTPS connections.