Requests before 2.32.4 leaks .netrc credentials via URL parsing
CVE-2024-47081 Published on June 9, 2025
Requests vulnerable to .netrc credentials leak via malicious URLs
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
Vulnerability Analysis
CVE-2024-47081 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2024-47081
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Python Requests. Just hit a watch button to start following.
Affected Versions
psf requests Version < 2.32.4 is affected by CVE-2024-47081Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.