Re: [oss-security] CVE-2024-47081: Netrc credential leak in PSF requests library

* Alan Coopersmith , 2025-06-03 10:09: I'm not sure how the attacker is supposed to get the victim to make a requests call using a URL the attacker controls The attacker could set a public HTTP server at that redirects (via HTTP 302) everything to, say,

Re: [oss-security] CVE-2024-47081: Netrc credential leak in PSF requests library

On 6/3/25 13:09, Alan Coopersmith wrote: > [I'm not sure how the attacker is supposed to get the victim to make a > requests call using a URL the attacker controls, but that didn't stop > them from getting a CVE issued for this. -alan- ] Suppose that a server (like a web scraper) receives URLs

Re: [oss-security] CVE-2024-47081: Netrc credential leak in PSF requests library

Hi, Well, it's probably just a coincidence, but I literally just spun up a web service that does exactly this: https://isitup.daviey.com/ The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc: ``` machine localhost login *REDACTED* password CTF{*REDACTED*} ``` It