Jump to solution
Verify

Requests Infinite loop when verify is invalid UNC path (Fix)

Fixed
Spec
Package
Requests
Fixed In
2.27.0
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-09
Own content ratio
0.52
#5850 ai tls Updated: 2026-02-13
Issue #5850

The Fix

pip install requests==2.27.0

Based on closed psf/requests issue #5850 · PR/commit linked

Jump to Verify Open PR/Commit
@@ -245,6 +245,10 @@ def extract_zipped_paths(path): while archive and not os.path.exists(archive): archive, prefix = os.path.split(archive) + if not prefix: + # If we don't check for an empty prefix after the split (in other words, archive remains unchanged after the split), + # we _can_ end up in an infinite loop on a rare corner case affecting a small number of users
repro.py
{ "chardet": { "version": "4.0.0" }, "cryptography": { "version": "3.4.7" }, "idna": { "version": "2.10" }, "implementation": { "name": "CPython", "version": "3.8.10" }, "platform": { "release": "10", "system": "Windows" }, "pyOpenSSL": { "openssl_version": "101010bf", "version": "20.0.1" }, "requests": { "version": "2.25.1" }, "system_ssl": { "version": "101010bf" }, "urllib3": { "version": "1.26.4" }, "using_pyopenssl": true }
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install requests==2.27.0\nWhen NOT to use: Do not use this fix if the application relies on valid UNC paths for functionality.\n\n

Why This Fix Works in Production

  • Trigger: For `extract_zipped_paths` to return the path and an Exception to be thrown when the cert path is checked prior to verification being attempted.
  • Mechanism: An invalid UNC path leads to an infinite loop in extract_zipped_paths due to improper handling of path prefixes
  • Why the fix works: Fixes an infinite loop in extract_zipped_paths when an invalid UNC path is provided. (first fixed release: 2.27.0).

Why This Breaks in Prod

  • An invalid UNC path leads to an infinite loop in extract_zipped_paths due to improper handling of path prefixes
  • Production symptom (often without a traceback): For `extract_zipped_paths` to return the path and an Exception to be thrown when the cert path is checked prior to verification being attempted.

Proof / Evidence

  • GitHub issue: #5850
  • Fix PR: https://github.com/psf/requests/pull/5851
  • First fixed release: 2.27.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-09
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.52

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“This code path is only hit when using a patched certifi package that has certifi.where() return a UNC path”
@tl-hbk · 2021-06-29 · source

Failure Signature (Search String)

  • For `extract_zipped_paths` to return the path and an Exception to be thrown when the cert path is checked prior to verification being attempted.
  • "pyOpenSSL": {
Copy-friendly signature
signature.txt
Failure Signature ----------------- For `extract_zipped_paths` to return the path and an Exception to be thrown when the cert path is checked prior to verification being attempted. "pyOpenSSL": {

Error Message

Signature-only (no traceback captured)
error.txt
Error Message ------------- For `extract_zipped_paths` to return the path and an Exception to be thrown when the cert path is checked prior to verification being attempted. "pyOpenSSL": {

Minimal Reproduction

repro.py
{ "chardet": { "version": "4.0.0" }, "cryptography": { "version": "3.4.7" }, "idna": { "version": "2.10" }, "implementation": { "name": "CPython", "version": "3.8.10" }, "platform": { "release": "10", "system": "Windows" }, "pyOpenSSL": { "openssl_version": "101010bf", "version": "20.0.1" }, "requests": { "version": "2.25.1" }, "system_ssl": { "version": "101010bf" }, "urllib3": { "version": "1.26.4" }, "using_pyopenssl": true }

What Broke

The application hangs indefinitely when an invalid UNC path is provided, causing service unavailability.

Why It Broke

An invalid UNC path leads to an infinite loop in extract_zipped_paths due to improper handling of path prefixes

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install requests==2.27.0

When NOT to use: Do not use this fix if the application relies on valid UNC paths for functionality.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/psf/requests/pull/5851

First fixed release: 2.27.0

Last verified: 2026-02-09. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • Do not use this fix if the application relies on valid UNC paths for functionality.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.

Version Compatibility Table

VersionStatus
2.27.0 Fixed

Related Issues

No related fixes found.

Cluster: requests:ssl-handshake Requests hub Requests best practices All hubs All clusters
Related clusters: Configuration error Data consistency Other

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #5850. Not affiliated with the library maintainers. Verify before production use.