CVE-2024-47081
BaseFortify
Publication date: 2025-06-09
Last updated on: 2025-06-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-47081 is a vulnerability in the Python Requests library where .netrc credentials can be leaked to third parties due to improper URL parsing. Specifically, when a URL is crafted in a way that includes an embedded username with an empty password followed by a malicious hostname (e.g., 'http://example.com:@evil.com/'), the library mistakenly sends the .netrc credentials configured for 'example.com' to 'evil.com'. This happens because the URL parsing logic incorrectly uses the full network location (netloc) instead of just the hostname when looking up credentials, causing credential leakage. The issue affects Requests versions prior to 2.32.4, and a fix was introduced in that version to correctly use only the hostname for .netrc lookups. [1, 2, 3, 6]
How can this vulnerability impact me? :
This vulnerability can lead to the unintended disclosure of sensitive authentication credentials stored in the .netrc file to malicious third-party servers. An attacker can exploit this by crafting URLs or redirecting requests to malicious hosts, causing the Requests library to send your stored credentials to these attackers. This compromises the confidentiality of your credentials, potentially allowing unauthorized access to services that use those credentials. The vulnerability has a moderate severity with a CVSS score of 5.3, requires no privileges but does require user interaction and has a high impact on confidentiality. [1, 2, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests made by the Requests library for suspicious URL patterns that include embedded usernames with empty passwords followed by a malicious hostname, such as URLs formatted like `http://example.com:@evil.com/`. Network traffic inspection tools or logs can be used to identify such requests where .netrc credentials might be leaked. There are no specific commands provided in the resources, but inspecting HTTP requests for URLs with embedded credentials and unexpected hostnames is recommended. Additionally, reviewing usage of the Requests library in your code for calls that might use .netrc credentials implicitly can help detect potential exploitation. [1, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Requests library to version 2.32.4 or later, where the vulnerability is fixed. For older versions where upgrading is not immediately possible, disable the use of the .netrc file by setting `trust_env=False` on your Requests Session object. Another workaround is to explicitly specify credentials in each API call to prevent automatic .netrc credential usage and leakage. However, note that this workaround may not be effective in the presence of HTTP redirects. The best and recommended action is to upgrade to Requests 2.32.4, which contains the fix that restricts .netrc lookups to the hostname only, preventing credential leakage. [2, 3, 5]