CVE-2024-47081

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
https://github.com/psf/requests/pull/6965
https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
https://seclists.org/fulldisclosure/2025/Jun/2
http://seclists.org/fulldisclosure/2025/Jun/2
http://www.openwall.com/lists/oss-security/2025/06/03/11
http://www.openwall.com/lists/oss-security/2025/06/03/9
http://www.openwall.com/lists/oss-security/2025/06/04/1
http://www.openwall.com/lists/oss-security/2025/06/04/6

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-09 18:15

Updated : 2025-06-12 16:06

NVD link : CVE-2024-47081

Mitre link : CVE-2024-47081

CVE.ORG link : CVE-2024-47081

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2024-47081", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2025-06-09T18:15:24.983", "references": [{"url": "https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef", "source": "security-advisories@github.com"}, {"url": "https://github.com/psf/requests/pull/6965", "source": "security-advisories@github.com"}, {"url": "https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7", "source": "security-advisories@github.com"}, {"url": "https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env", "source": "security-advisories@github.com"}, {"url": "https://seclists.org/fulldisclosure/2025/Jun/2", "source": "security-advisories@github.com"}, {"url": "http://seclists.org/fulldisclosure/2025/Jun/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/03/11", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/03/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/04/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/04/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session."}, {"lang": "es", "value": "Requests es una librer\u00eda HTTP. Debido a un problema de an\u00e1lisis de URL, las versiones de Requests anteriores a la 2.32.4 pueden filtrar credenciales .netrc a terceros para URL espec\u00edficas manipuladas con fines maliciosos. Los usuarios deben actualizar a la versi\u00f3n 2.32.4 para obtener una soluci\u00f3n. En versiones anteriores de Requests, el uso del archivo .netrc se puede desactivar con `trust_env=False` en la sesi\u00f3n de Requests."}], "lastModified": "2025-06-12T16:06:47.857", "sourceIdentifier": "security-advisories@github.com"}