CVE-2024-47081 MEDIUM

CVE-2024-47081: Requests vulnerable to .netrc credentials leak via malicious URLs

Vendor Psf
Product requests
Weakness CWE-522 · Insufficiently protected credentials
Published June 9, 2025
Last update June 9, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

Key dates

02Disclosure timeline

June 9, 2025 CVE published
June 9, 2025 Record updated