GHSA-9hjg-9r4m-mvj7 - MODERATE Vulnerability | GeekWala
Loading...
Skip to main content
GeekWala

GHSA-9hjg-9r4m-mvj7

MODERATE

Requests vulnerable to .netrc credentials leak via malicious URLs

Published June 9, 2025Updated February 4, 2026Source: osv

Details

### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2

Remediation

Upgrade to the fixed version using your package manager.

pip
Update requests to 2.32.4 or later
pip install "requests>=2.32.4"

After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.

Affected Packages (1)

PackageEcosystemAffectedFixed In
requests
PyPI
0.0.1, 0.10.0, 0.10.1, 0.10.2 (+151 more)2.32.4

Vulnerability Classification

Common Weakness Enumeration (CWE) identifiers for this vulnerability type.

CVSS Score Breakdown

What the CVSS (Common Vulnerability Scoring System) 3.1 score means for each attack dimension.

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Risk Assessment

CVSS Score
3.1

Exploitation is difficult or impact is minor. Address in your next planned update.

EPSS Score (30-day exploit probability)
0.11%
Higher than 30% of vulnerabilities

Also Known As

CVE-2024-47081

Check if you're affected

Scan your dependencies to see if this vulnerability affects your projects.

Scan Your Dependencies