The Open Source Technology Improvement Fund is proud to share the results of our security audit of Requests, CacheControl, and urllib3. Requests is a widely used, elegant HTTP library for Python, designed to make HTTP requests simple and human-friendly, CacheControl is a port of the caching algorithms from httplib2 for use with the Requests session object, providing thread-safe HTTP caching support, and urllib3 is a powerful and user-friendly HTTP client for Python that brings many critical features missing from the Python standard library. These three Python libraries form a foundational HTTP stack that underpins an enormous portion of the Python ecosystem. With the help of 7ASecurity and funding from Alpha-Omega, these projects received custom security review, testing, and documentation.
Audit Process
This engagement was executed by a team of 5 senior auditors from 7ASecurity in October and November 2025, dedicating 34.2 working days to the assessment. This was the first penetration test for these projects. The methodology was whitebox: the audit team was provided with documentation, details about operational deployment processes, and full access to source code. The scope was organized across six work packages:
- WP1: PyPI-Configured Integration Security Tests
- WP2: Whitebox Review and Active Tests against urllib3
- WP3: Whitebox Review and Active Tests against Requests
- WP4: Whitebox Review and Differential Tests against CacheControl
- WP5: Whitebox Tests against the Python Projects Supply Chain
- WP6: Lightweight Threat Model Documentation
Audit Results
- 9 Issues with Security Impact
- 2 Hardening Recommendations
- Supply Chain Review
- Future Security Work Recommendations
Despite the number of findings, the 7ASecurity team noted several strong positives. Notably, no issues were identified during WP1 demonstrating that the combined Requests–CacheControl–urllib3 stack behaves correctly and securely under adversarial, multi-component flows. The combined library stack demonstrated solid resilience against complex, multi-step attack scenarios. Advanced vectors including connection state poisoning and multipart body injection were correctly handled through secure-by-default design. The core libraries were well-engineered with extensive test coverage, and urllib3’s supply chain posture was described as exceptionally strong, with advanced compliance across SLSA Source, Build, and Provenance requirements. The project maintainers were helpful, responsive, and engaged throughout the audit, ensuring that 7ASecurity had the necessary access and information at all times.
For the full details of all findings, proof-of-concept demonstrations, affected code, and remediation guidance, please refer to the full report linked below.
Thank You to the individuals and groups that made this engagement possible:
- Ian Stapleton Cordasco and Nate Prewitt (Requests)
- Frost Ming and William Woodruff (CacheControl)
- Illia Volochii, Quentin Pradet, and Seth Larson (urllib3)
- 7ASecurity — Abraham Aranguren, Daniel Ortiz, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski
- Alpha-Omega for funding this engagement
You can read the full report HERE
You can read 7ASecurity’s blog HERE
The full report is publicly available and licensed under the Creative Commons Attribution-ShareAlike 4.0 International license.
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].