The Fix
pip install requests==2.27.0
Based on closed psf/requests issue #5274 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -191,3 +191,4 @@ Patches and Suggestions
- Alessio Izzo (`@aless10 <https://github.com/aless10>`_)
- Sylvain Marié (`@smarie <https://github.com/smarie>`_)
+- Hod Bin Noon (`@hodbn <https://github.com/hodbn>`_)
diff --git a/requests/adapters.py b/requests/adapters.py
index 9b7f92af66..fe22ff450e 100644
repro.py
import requests
import time
from requests.packages import urllib3
#Disable https insecure warnings for verify=False
urllib3.disable_warnings()
with open('1.ts','rb') as fh:
file_data = fh.read()
def chunk_trans():
for i in range(0, 3):
time.sleep(0.1)
yield file_data
req = requests.Request('POST', 'http://192.168.123.151/1.ts', data=chunk_trans(), headers={'Host':'a.b.c.d'})
prep = req.prepare()
s = requests.Session()
s.send(prep, timeout=2, verify=False, allow_redirects=False)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install requests==2.27.0\nWhen NOT to use: Do not use this fix if the application requires multiple Host headers for valid requests.\n\n
Why This Fix Works in Production
- Trigger: s.send(prep, timeout=2, verify=False, allow_redirects=False)
- Mechanism: The default Host header was sent along with a custom Host header in chunked requests
- Why the fix works: Fixes the issue of sending two Host headers in chunked requests by ensuring only the specified Host header is sent. (first fixed release: 2.27.0).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The default Host header was sent along with a custom Host header in chunked requests
- Production symptom (often without a traceback): s.send(prep, timeout=2, verify=False, allow_redirects=False)
Proof / Evidence
- GitHub issue: #5274
- Fix PR: https://github.com/psf/requests/pull/5391
- First fixed release: 2.27.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.59
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I see that there is a PR for this (and has been for a while) but it is not yet merged”
Failure Signature (Search String)
- s.send(prep, timeout=2, verify=False, allow_redirects=False)
Copy-friendly signature
signature.txt
Failure Signature
-----------------
s.send(prep, timeout=2, verify=False, allow_redirects=False)
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
s.send(prep, timeout=2, verify=False, allow_redirects=False)
Minimal Reproduction
repro.py
import requests
import time
from requests.packages import urllib3
#Disable https insecure warnings for verify=False
urllib3.disable_warnings()
with open('1.ts','rb') as fh:
file_data = fh.read()
def chunk_trans():
for i in range(0, 3):
time.sleep(0.1)
yield file_data
req = requests.Request('POST', 'http://192.168.123.151/1.ts', data=chunk_trans(), headers={'Host':'a.b.c.d'})
prep = req.prepare()
s = requests.Session()
s.send(prep, timeout=2, verify=False, allow_redirects=False)
What Broke
Two Host headers are sent, causing potential server confusion and incorrect request handling.
Why It Broke
The default Host header was sent along with a custom Host header in chunked requests
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install requests==2.27.0
When NOT to use: Do not use this fix if the application requires multiple Host headers for valid requests.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Option D — Guard side-effects with OnceOnly Guardrail for side-effects
Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.
- Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
- Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
- Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly
import os
once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)
# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..." # replace
key = f"stripe:webhook:{event_id}"
res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
return {"status": "already_processed"}
# Safe to execute the side-effect exactly once.
handle_event(event_id)
When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Fix reference: https://github.com/psf/requests/pull/5391
First fixed release: 2.27.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if the application requires multiple Host headers for valid requests.
- Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Make timeouts explicit and test them (unit + integration) to avoid silent behavior changes.
- Instrument retries (attempt count + reason) and alert on spikes to catch dependency slowdowns.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.27.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.