Moderate severityNVD Advisory· Published Mar 18, 2015· Updated May 6, 2026
CVE-2015-2296
CVE-2015-2296
Description
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
requestsPyPI | >= 2.1.0, < 2.6.0 | 2.6.0 |
Affected products
14cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:python:requests:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:requests:2.5.3:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*+ 1 more
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:mageia_project:mageia:4.0:*:*:*:*:*:*:*
Patches
23bd8afbff29eDon't ascribe cookies to the target domain.
1 file changed · +1 −1
requests/sessions.py+1 −1 modified@@ -171,7 +171,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None, except KeyError: pass - extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) + extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) prepared_request._cookies.update(self.cookies) prepared_request.prepare_cookies(prepared_request._cookies)
3bd8afbff29eDon't ascribe cookies to the target domain.
1 file changed · +1 −1
requests/sessions.py+1 −1 modified@@ -171,7 +171,7 @@ def resolve_redirects(self, resp, req, stream=False, timeout=None, except KeyError: pass - extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw) + extract_cookies_to_jar(prepared_request._cookies, req, resp.raw) prepared_request._cookies.update(self.cookies) prepared_request.prepare_cookies(prepared_request._cookies)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-pg2w-x9wp-vw92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2296ghsaADVISORY
- warehouse.python.org/project/requests/2.6.0/nvdVendor Advisory
- advisories.mageia.org/MGASA-2015-0120.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-March/153594.htmlnvdWEB
- www.mandriva.com/security/advisoriesnvdWEB
- www.openwall.com/lists/oss-security/2015/03/14/4nvdWEB
- www.openwall.com/lists/oss-security/2015/03/15/1nvdWEB
- www.ubuntu.com/usn/USN-2531-1nvdWEB
- github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafcnvdWEB
- github.com/psf/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafcghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2015-17.yamlghsaWEB
- warehouse.python.org/project/requests/2.6.0ghsaWEB
News mentions
0No linked articles in our index yet.