Skip to main content

CVE-2024-47081: CWE-522: Insufficiently Protected Credentials in psf requests

Medium
VulnerabilityCVE-2024-47081cvecve-2024-47081cwe-522
Published: Mon Jun 09 2025 (06/09/2025, 17:57:47 UTC)
Source: CVE Database V5
Vendor/Project: psf
Product: requests

Description

Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.

AI-Powered Analysis

AILast updated: 07/10/2025, 22:33:44 UTC

Technical Analysis

CVE-2024-47081 is a medium-severity vulnerability affecting the Python HTTP library Requests, versions prior to 2.32.4. The root cause is a URL parsing flaw that can lead to the leakage of credentials stored in the .netrc file. The .netrc file is commonly used to store login credentials for HTTP authentication, and Requests can automatically use these credentials when making HTTP requests. Due to improper handling of certain maliciously crafted URLs, Requests may inadvertently expose these credentials to third parties, potentially allowing attackers to intercept sensitive authentication information. This vulnerability is classified under CWE-522, which relates to insufficiently protected credentials. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). Exploitation requires a user to interact with a malicious URL, and the attacker must craft URLs that trigger the credential leak. There are no known exploits in the wild at this time. The recommended fix is to upgrade Requests to version 2.32.4 or later, where the issue is resolved. For environments where upgrading is not immediately possible, disabling the use of the .netrc file by setting `trust_env=False` on the Requests Session object can mitigate the risk by preventing automatic credential usage. This vulnerability primarily affects applications and services that use the Requests library to make HTTP calls and rely on .netrc for credential management, which is common in automated scripts, CI/CD pipelines, and other programmatic HTTP interactions.

Potential Impact

For European organizations, the impact of CVE-2024-47081 can be significant in scenarios where Requests is used to automate HTTP requests with .netrc credentials. Leakage of these credentials could lead to unauthorized access to internal or external services, exposing sensitive data or enabling further lateral movement within networks. Confidentiality is the primary concern, as credentials may be exposed to attackers who can intercept or manipulate crafted URLs. This could compromise access to APIs, cloud services, or internal systems that rely on these credentials. The requirement for user interaction (e.g., clicking or triggering a malicious URL) somewhat limits the risk but does not eliminate it, especially in environments where automated processes handle URLs from untrusted sources. The vulnerability does not affect integrity or availability directly but can be a stepping stone for more severe attacks if credentials are reused or have broad access privileges. Organizations with automated workflows, DevOps pipelines, or integrations that use Requests and .netrc files should be particularly vigilant. The absence of known exploits in the wild suggests the threat is currently theoretical but patching is critical to prevent future exploitation.

Mitigation Recommendations

1. Immediate upgrade of the Requests library to version 2.32.4 or later is the most effective mitigation. 2. For legacy systems where upgrading is not feasible, explicitly disable .netrc credential usage by setting `trust_env=False` on the Requests Session object to prevent automatic credential inclusion. 3. Audit all codebases and automation scripts to identify usage of Requests with .netrc files and assess exposure to untrusted URLs. 4. Implement strict input validation and sanitization for any URLs processed by applications using Requests to reduce the risk of malicious URL injection. 5. Monitor network traffic for unusual outbound requests that could indicate credential leakage attempts. 6. Rotate any credentials stored in .netrc files that may have been exposed or are suspected to be at risk. 7. Educate developers and DevOps teams about the vulnerability and the importance of secure credential handling and library updates. 8. Consider alternative credential management approaches that do not rely on .netrc files, such as environment variables or secure vaults, to reduce attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2024-09-17T17:42:37.030Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f5b1b0bd07c3938c183

Added to database: 6/10/2025, 6:54:19 PM

Last enriched: 7/10/2025, 10:33:44 PM

Last updated: 8/13/2025, 11:36:28 AM

Views: 23

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats