oss-sec mailing list archives

Re: CVE-2024-47081: Netrc credential leak in PSF requests library

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Tue, 3 Jun 2025 20:53:15 -0400

On 6/3/25 13:09, Alan Coopersmith wrote:

[I'm not sure how the attacker is supposed to get the victim to make a
  requests call using a URL the attacker controls, but that didn't stop
  them from getting a CVE issued for this. -alan- ]


Suppose that a server (like a web scraper) receives URLs that are
attacker-controlled, validates that the point to the expected domain
name, and then fetches them.  In this case, Requests will send
credentials for a domain name that is *not* the one that it is
supposed to send them for, which is clearly a vulnerability.

It's definitely better to reconstruct the URL from scheme, authority,
path, and query before sending the request, but I am almost certain
there are servers in the wild that do not do this.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Current thread:

CVE-2024-47081: Netrc credential leak in PSF requests library Alan Coopersmith (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Dave Walker (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Demi Marie Obenour (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Jakub Wilk (Jun 04)