VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 9, 2025· Updated Apr 15, 2026

CVE-2024-47081

CVE-2024-47081

Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on one's Requests Session.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
requestsPyPI
< 2.32.42.32.4

Patches

2
021dc729f0b7
https://github.com/psf/requestsvia osv
96ba401c1296

Only use hostname to do netrc lookup instead of netloc

https://github.com/psf/requestsNate PrewittSep 25, 2024via ghsa
commit
1 file changed · +1 7
  • src/requests/utils.py+1 7 modified
    @@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
             return
 
         ri = urlparse(url)
-
-        # Strip port numbers from netloc. This weird `if...encode`` dance is
-        # used for Python 3.2, which doesn't support unicode literals.
-        splitstr = b":"
-        if isinstance(url, str):
-            splitstr = splitstr.decode("ascii")
-        host = ri.netloc.split(splitstr)[0]
+        host = ri.hostname
 
         try:
             _netrc = netrc(netrc_path).authenticators(host)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.