CVE-2018-18074: Python requests Library Vulnerability Exposes Credentials on Redirect

A medium-severity vulnerability in the widely-used Python requests library could expose authentication credentials to unintended hosts during HTTP redirects. CVE-2018-18074 affects all versions of requests prior to 2.20.0, with the flaw specifically causing Authorization headers to be incorrectly forwarded when a request is redirected to a different host. For any system handling partner API authentication through transparent redirects, this represents a direct credential-leakage risk that could allow unauthorized parties to intercept sensitive authentication data.

The vulnerability was confirmed to impact an internal http-client service running requests version 2.19.0, which falls squarely within the affected range. The http-client wrapper is explicitly designed to support transparent redirects with partner API authentication, creating an attack surface where credentials intended for one host could be silently transmitted to an entirely different destination during redirect flows. The flaw was patched in requests 2.20.0, but any deployment still running older versions remains exposed to this credential-forwarding behavior.

The implications extend beyond the immediate service to any infrastructure relying on the requests library for authenticated API calls where redirect handling is enabled. Organizations using requests for partner integrations, third-party API consumption, or any authenticated HTTP flows should audit their dependency versions immediately. The fix requires upgrading to requests 2.20.0 or later, but the broader concern is that redirect-based authentication flows require explicit credential scoping to prevent authorization data from leaking across host boundaries. Systems that have not yet patched should treat this as an active security exposure and prioritize version upgrades alongside a review of any logs that might reveal whether credentials were forwarded to unexpected hosts during the period of vulnerability.