CVE-2024-47081 PUBLISHED

Requests vulnerable to .netrc credentials leak via malicious URLs

Assigner: GitHub_M
Reserved: 17.09.2024 Published: 09.06.2025 Updated: 09.06.2025

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on one's Requests Session.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	psf
Product	requests
Versions	Version < 2.32.4 is affected

References

https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
https://github.com/psf/requests/pull/6965
https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
https://seclists.org/fulldisclosure/2025/Jun/2

Problem Types

CWE-522: Insufficiently Protected Credentials CWE