CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-47081: Requests vulnerable to .netrc credentials leak via malicious URLs

5.3 CVSS

Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Classification

CVE ID: CVE-2024-47081

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem Types

CWE-522: Insufficiently Protected Credentials

Affected Products

Vendor: psf

Product: requests

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 18.04% (scored less or equal to compared to others)

EPSS Date: 2025-06-12 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-47081
https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
https://github.com/psf/requests/pull/6965
https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
https://seclists.org/fulldisclosure/2025/Jun/2

Timeline

2025-06-09 18:40:10 UTC
CVE

Requests vulnerable to .netrc credentials leak via malicious URLs
2025-06-09 20:15:36 UTC
Github Advisory Database (PIP)

[requests] Requests vulnerable to .netrc credentials leak via malicious URLs