CVE-2024-47081 Overview
CVE-2024-47081 is a sensitive data exposure vulnerability in the Python Requests HTTP library, one of the most widely-used Python packages for making HTTP requests. Due to a URL parsing issue in versions prior to 2.32.4, the library may inadvertently leak .netrc credentials to third-party hosts when processing maliciously-crafted URLs. This vulnerability stems from improper handling of the netloc component during URL parsing, allowing attackers to craft URLs that trick the library into sending stored credentials to unintended destinations.
Critical Impact
Attackers can craft malicious URLs that cause the Requests library to leak authentication credentials stored in .netrc files to unauthorized third-party servers, potentially compromising sensitive systems and accounts.
Affected Products
- Python Requests library versions prior to 2.32.4
- Applications and services using vulnerable Requests library versions with .netrc authentication enabled
- Python environments where trust_env=True (default) is used in Requests Sessions
Discovery Timeline
- June 9, 2025 - CVE-2024-47081 published to NVD
- June 12, 2025 - Last updated in NVD database
Technical Details for CVE-2024-47081
Vulnerability Analysis
This vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and affects the credential handling mechanism in the Python Requests library. The root issue lies in how the library performs hostname lookups when retrieving credentials from .netrc files. The vulnerable code used ri.netloc.split(":")[0] to extract the hostname from a URL, which can be manipulated by attackers to cause credential leakage to unintended hosts.
The .netrc file is a standard Unix mechanism for storing machine login credentials and is commonly used for automated authentication in scripts and applications. When Requests processes a URL with trust_env=True (the default behavior), it consults the .netrc file to obtain credentials for the target host. The URL parsing flaw allows attackers to craft URLs where the netloc component is parsed incorrectly, causing credentials intended for one host to be sent to another.
Root Cause
The vulnerability originates in the src/requests/utils.py file where the library extracts the hostname for .netrc credential lookups. The flawed implementation used string splitting on the netloc attribute to remove port numbers, but this approach is susceptible to URL parsing edge cases. Specifically, the code ri.netloc.split(splitstr)[0] does not properly handle all URL formats, allowing attackers to construct URLs that bypass the intended hostname extraction logic.
Attack Vector
The attack requires user interaction where a victim's application processes a maliciously-crafted URL. The attacker must:
- Craft a specially-formatted URL that exploits the netloc parsing flaw
- Induce the victim's application to make a request to this URL using the Requests library
- The vulnerable code will incorrectly match the URL to a .netrc entry and send credentials to the attacker-controlled server
The attack requires network access and relies on the target application having .netrc credentials configured for the spoofed hostname.
# Security patch from src/requests/utils.py
# Source: https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
return
ri = urlparse(url)
-
- # Strip port numbers from netloc. This weird `if...encode`` dance is
- # used for Python 3.2, which doesn't support unicode literals.
- splitstr = b":"
- if isinstance(url, str):
- splitstr = splitstr.decode("ascii")
- host = ri.netloc.split(splitstr)[0]
+ host = ri.hostname
try:
_netrc = netrc(netrc_path).authenticators(host)
The fix replaces the manual string splitting with Python's built-in ri.hostname property, which correctly handles URL parsing edge cases and extracts only the hostname component.
Detection Methods for CVE-2024-47081
Indicators of Compromise
- Unexpected outbound HTTP requests containing authentication headers to unknown third-party hosts
- Log entries showing .netrc credential lookups for hosts that don't match expected service endpoints
- Network traffic analysis revealing credential-bearing requests to suspicious or newly-registered domains
- Application logs showing URL parsing anomalies or unusual netloc values
Detection Strategies
- Scan Python environments for Requests library versions older than 2.32.4 using package auditing tools like pip-audit or safety
- Monitor network egress traffic for authentication headers being sent to unexpected destinations
- Implement Software Composition Analysis (SCA) in CI/CD pipelines to detect vulnerable dependencies
- Review application logs for unusual URL patterns that may indicate exploitation attempts
Monitoring Recommendations
- Enable verbose logging for HTTP requests in production applications to track credential usage patterns
- Configure network monitoring to alert on authentication data being transmitted to hosts outside approved allow-lists
- Implement runtime application security monitoring to detect anomalous credential usage
- Set up dependency vulnerability scanning as part of regular security assessments
How to Mitigate CVE-2024-47081
Immediate Actions Required
- Upgrade the Python Requests library to version 2.32.4 or later immediately
- Audit all Python applications and virtual environments for vulnerable Requests versions
- For applications that cannot be immediately upgraded, disable .netrc usage by setting trust_env=False on Requests Sessions
- Review .netrc files to ensure credentials stored are limited to strictly necessary hosts
Patch Information
The vulnerability has been fixed in Requests version 2.32.4. The patch, available via commit 96ba401c1296ab1dda74a2365ef36d88f7d144ef, replaces the vulnerable netloc string splitting with the proper hostname attribute from Python's URL parsing library. Users should upgrade using:
pip install --upgrade requests>=2.32.4
For detailed information, refer to the GitHub Security Advisory GHSA-9hjg-9r4m-mvj7 and the GitHub Pull Request Discussion.
Workarounds
- Disable automatic environment trust by setting trust_env=False when creating Requests Sessions, which prevents .netrc credential loading
- Remove or restrict .netrc files from systems where they are not strictly required
- Implement network egress filtering to prevent credentials from being sent to unauthorized hosts
- Use explicit authentication methods in code rather than relying on .netrc automatic credential loading
# Workaround: Disable trust_env in Python Requests Sessions
# Add this configuration to your application code:
# Example Python code to disable .netrc usage:
# import requests
# session = requests.Session()
# session.trust_env = False
# response = session.get('https://example.com/api/endpoint')
# Verify Requests version in your environment:
pip show requests | grep Version
# Upgrade to patched version:
pip install --upgrade "requests>=2.32.4"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
