7ASecurity is proud to share the results of our security audit of Requests, CacheControl, and urllib3. Requests is an elegant and simple HTTP library for Python, designed to make HTTP requests simple and human-friendly. CacheControl is a port of the caching algorithms from httplib2 for use with the Requests session object, providing thread-safe HTTP caching support. urllib3 is a powerful and user-friendly HTTP client for Python that brings many critical features missing from the Python standard library. Together, these three Python libraries form a foundational HTTP stack that underpins an enormous portion of the Python ecosystem. In collaboration with The Open Source Technology Improvement Fund and with funding from Alpha-Omega, these projects received custom security testing, documentation, and recommendations contributing to their ongoing security and development work.
Audit Process:
This engagement was executed by a team of 5 senior auditors from 7ASecurity in October and November 2025, dedicating 34.2 working days to the assessment. This was the first penetration test for these projects. The methodology was whitebox: the audit team was provided with documentation, details about operational deployment processes, and full access to source code. The scope was organized across six work packages:
- WP1: PyPI-Configured Integration Security Tests
- WP2: Whitebox Review and Active Tests against urllib3
- WP3: Whitebox Review and Active Tests against Requests
- WP4: Whitebox Review and Differential Tests against CacheControl
- WP5: Whitebox Tests against the Python Projects Supply Chain
- WP6: Lightweight Threat Model Documentation
Audit Results:
- 9 Issues with Security Impact
- 2 Hardening Recommendations
- Supply Chain Review
- Future Security Work Recommendations
Despite the number of findings, the 7ASecurity team noted several strong positives. Notably, no issues were identified during WP1, demonstrating that the combined Requests, CacheControl, and urllib3 stack behaves correctly and securely under adversarial, multi-component flows. The combined library stack demonstrated solid resilience against complex, multi-step attack scenarios.
Advanced vectors including connection state poisoning and multipart body injection were correctly handled through secure-by-default design. The core libraries were well-engineered with extensive test coverage, and urllib3's supply chain posture was described as exceptionally strong, with advanced compliance across SLSA Source, Build, and Provenance requirements. The project maintainers were helpful, responsive, and engaged throughout the audit, ensuring that 7ASecurity had the necessary access and information at all times.
The urllib3 maintainers were by far the most responsive, a pleasure to work with and patched all significant issues before the report was even sent!
For the full details of all findings, proof-of-concept demonstrations, affected code, and remediation guidance, please refer to the full report linked below. The full report is publicly available and licensed under the Creative Commons Attribution-ShareAlike 4.0 International license.
Acknowledgements:
Thank you to the individuals and groups that made this engagement possible:
- Requests: Ian Stapleton Cordasco and Nate Prewitt
- CacheControl: Frost Ming and William Woodruff
- urllib3: Illia Volochii, Quentin Pradet, and Seth Larson
- OSTIF for facilitating and coordinating this engagement
- Alpha-Omega for funding this engagement
Read the reports:
You can read the full audit report HERE
You can read OSTIF's Blog HERE.
Everyone around the world depends on open source software. If you are interested in financially supporting this critical work, reach out to contactus@ostif.org.
