poetry-plugin-tweak-dependencies-version, Dependency Vulnerability, CVE-2026-25645 (Moderate)

Listen to this Post

The vulnerability exists because the poetry-plugin-tweak-dependencies-version plugin pins a specific vulnerable version of the `requests` library (likely 2.31.0 or earlier) within its own dependency tree. When a project uses this plugin, the vulnerable `requests` version is installed alongside it, even if the project’s main dependencies require a patched version. This occurs because the plugin’s `pyproject.toml` or `poetry.lock` explicitly sets a constraint that includes a known vulnerable release. An attacker could exploit this by leveraging the known flaws in that `requests` version—such as CVE-2023-32681 (information disclosure via excessive redirects) or CVE-2024-35195 (request smuggling)—depending on the exact pinned version. The plugin itself does not directly expose the vulnerability, but it forces the inclusion of a vulnerable transitive dependency, thereby reintroducing the risk into environments that otherwise would have been secure. The issue was fixed by updating the pin to a patched version of `requests` (e.g., >=2.32.0) and releasing version 1.5.6 of the plugin.
Platform: poetry-plugin-tweak-dependencies-version
Version: <= 1.5.5
Vulnerability: Pin vulnerable requests
Severity: Moderate
date: March 30, 2026

Prediction: April 1, 2026

Analytics under What Undercode Say:

Check currently installed plugin version
poetry show poetry-plugin-tweak-dependencies-version
List all installed dependencies and grep for requests
poetry show --tree | grep requests
Verify if vulnerable requests version is present
pip show requests | grep Version
Update plugin to patched version
poetry self add poetry-plugin-tweak-dependencies-version@^1.5.6
Alternatively, force upgrade of requests in the project
poetry add requests@">=2.32.0"

Exploit:

An attacker does not directly exploit the plugin but instead relies on the plugin being used in a project. By triggering any functionality that uses the `requests` library (e.g., making HTTP calls via the plugin’s dependency resolution logic), they can leverage known exploits in the pinned vulnerable `requests` version. For CVE-2023-32681, a malicious server could expose sensitive information via redirects; for CVE-2024-35195, request smuggling could lead to cache poisoning or credential theft.

Protection from this CVE:

Immediately update `poetry-plugin-tweak-dependencies-version` to version 1.5.6 or later using poetry self add poetry-plugin-tweak-dependencies-version@^1.5.6. If update is not possible, manually override the `requests` version in the project’s `pyproject.toml` by adding `requests = “>=2.32.0″` to the `[tool.poetry.dependencies]` section and run `poetry lock –no-update` followed by poetry install. Review all transitive dependencies with `poetry show –tree` to ensure no other packages pin the vulnerable requests.

Impact:

Projects using affected plugin versions (<=1.5.5) inherit a vulnerable `requests` library, exposing them to potential remote code execution, information disclosure, or request smuggling attacks depending on the exact vulnerability present in the pinned `requests` version. The impact is elevated in applications that make outgoing HTTP requests based on user input or interact with untrusted servers. The vulnerability is considered moderate due to its transitive nature and the requirement that the vulnerable `requests` be used in a context where the known flaws can be triggered.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top