Critical Python Requests Library Flaw: CVE-2024-35195 Allows TLS Verification Bypass

A critical security vulnerability in the ubiquitous Python `requests` library allows TLS certificate verification to be permanently disabled for a web origin, creating a silent path for man-in-the-middle attacks. The flaw, tracked as CVE-2024-35195, resides in the library's session handling. When an initial request to a server is made with the `verify=False` parameter, the underlying connection is cached and reused. Crucially, this cached connection retains the disabled verification state, meaning all subsequent requests to that same origin—even those explicitly setting `verify=True`—will proceed without validating the server's TLS certificate.

This vulnerability fundamentally undermines a core security guarantee for one of the most widely used HTTP libraries in the Python ecosystem. The issue is not a simple configuration error but a logic flaw in connection pooling. An attacker who can intercept the initial, unverified connection could then impersonate the legitimate server for all future communications within that session, potentially exposing authentication tokens, API keys, and sensitive data. The flaw was disclosed via a GitHub Security Advisory by the Python Software Foundation, which maintains the `requests` project.

The immediate pressure is on development and security teams to update their dependencies. The fix is included in `requests` versions 2.32.0 and later, with the advisory recommending an update to `<=2.33.1`. This is a high-priority patch for any application using `requests.Session` objects, which is a standard pattern for efficient HTTP communication. The silent nature of the failure—where code appears to be enforcing verification but is not—makes it particularly dangerous and necessitates urgent scrutiny of deployment pipelines and dependency graphs across countless Python projects.