Fluid Attacks Database

Description

Requests vulnerable to .netrc credentials leak via malicious URLs

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.19	py3-requests	=1.0.4-r0 \|\| =1.1.0-r0 \|\| =1.2.3-r0 \|\| =2.0.0-r0 \|\| =2.10.0-r0 \|\| =2.11.0-r0 \|\| =2.11.1-r0 \|\| =2.11.1-r1 \|\| =2.12.4-r0 \|\| =2.12.4-r1 \|\| =2.13.0-r0 \|\| =2.16.5-r0 \|\| =2.17.3-r0 \|\| =2.18.1-r0 \|\| =2.18.1-r1 \|\| =2.18.2-r0 \|\| =2.18.3-r0 \|\| =2.18.4-r0 \|\| =2.19.1-r0 \|\| =2.21.0-r0 \|\| =2.21.0-r1 \|\| =2.21.0-r2 \|\| =2.21.0-r3 \|\| =2.21.0-r4 \|\| =2.21.0-r5 \|\| =2.21.0-r6 \|\| =2.22.0-r0 \|\| =2.22.0-r1 \|\| =2.23.0-r0 \|\| =2.24.0-r0 \|\| =2.24.0-r1 \|\| =2.24.0-r2 \|\| =2.24.0-r3 \|\| =2.25.0-r0 \|\| =2.25.0-r1 \|\| =2.25.1-r0 \|\| =2.25.1-r1 \|\| =2.25.1-r2 \|\| =2.25.1-r3 \|\| =2.25.1-r4 \|\| =2.26.0-r0 \|\| =2.26.0-r1 \|\| =2.26.0-r2 \|\| =2.27.1-r0 \|\| =2.28.1-r0 \|\| =2.28.1-r1 \|\| =2.28.1-r2 \|\| =2.28.2-r0 \|\| =2.28.2-r1 \|\| =2.29.0-r0 \|\| =2.3.0-r0 \|\| =2.30.0-r0 \|\| =2.31.0-r0 \|\| =2.31.0-r1 \|\| =2.32.3-r0 \|\| =2.4.3-r0 \|\| =2.5.1-r0 \|\| =2.5.2-r0 \|\| =2.6.0-r0 \|\| =2.7.0-r0 \|\| =2.8.1-r0 \|\| =2.9.1-r0 \|\| >=0 <2.32.4-r0	2.32.4-r0
alpine v3.20	py3-requests	=1.0.4-r0 \|\| =1.1.0-r0 \|\| =1.2.3-r0 \|\| =2.0.0-r0 \|\| =2.10.0-r0 \|\| =2.11.0-r0 \|\| =2.11.1-r0 \|\| =2.11.1-r1 \|\| =2.12.4-r0 \|\| =2.12.4-r1 \|\| =2.13.0-r0 \|\| =2.16.5-r0 \|\| =2.17.3-r0 \|\| =2.18.1-r0 \|\| =2.18.1-r1 \|\| =2.18.2-r0 \|\| =2.18.3-r0 \|\| =2.18.4-r0 \|\| =2.19.1-r0 \|\| =2.21.0-r0 \|\| =2.21.0-r1 \|\| =2.21.0-r2 \|\| =2.21.0-r3 \|\| =2.21.0-r4 \|\| =2.21.0-r5 \|\| =2.21.0-r6 \|\| =2.22.0-r0 \|\| =2.22.0-r1 \|\| =2.23.0-r0 \|\| =2.24.0-r0 \|\| =2.24.0-r1 \|\| =2.24.0-r2 \|\| =2.24.0-r3 \|\| =2.25.0-r0 \|\| =2.25.0-r1 \|\| =2.25.1-r0 \|\| =2.25.1-r1 \|\| =2.25.1-r2 \|\| =2.25.1-r3 \|\| =2.25.1-r4 \|\| =2.26.0-r0 \|\| =2.26.0-r1 \|\| =2.26.0-r2 \|\| =2.27.1-r0 \|\| =2.28.1-r0 \|\| =2.28.1-r1 \|\| =2.28.1-r2 \|\| =2.28.2-r0 \|\| =2.28.2-r1 \|\| =2.29.0-r0 \|\| =2.3.0-r0 \|\| =2.30.0-r0 \|\| =2.31.0-r0 \|\| =2.31.0-r1 \|\| =2.31.0-r2 \|\| =2.32.3-r0 \|\| =2.4.3-r0 \|\| =2.5.1-r0 \|\| =2.5.2-r0 \|\| =2.6.0-r0 \|\| =2.7.0-r0 \|\| =2.8.1-r0 \|\| =2.9.1-r0 \|\| >=0 <2.32.4-r0	2.32.4-r0
alpine v3.21	py3-requests	=1.0.4-r0 \|\| =1.1.0-r0 \|\| =1.2.3-r0 \|\| =2.0.0-r0 \|\| =2.10.0-r0 \|\| =2.11.0-r0 \|\| =2.11.1-r0 \|\| =2.11.1-r1 \|\| =2.12.4-r0 \|\| =2.12.4-r1 \|\| =2.13.0-r0 \|\| =2.16.5-r0 \|\| =2.17.3-r0 \|\| =2.18.1-r0 \|\| =2.18.1-r1 \|\| =2.18.2-r0 \|\| =2.18.3-r0 \|\| =2.18.4-r0 \|\| =2.19.1-r0 \|\| =2.21.0-r0 \|\| =2.21.0-r1 \|\| =2.21.0-r2 \|\| =2.21.0-r3 \|\| =2.21.0-r4 \|\| =2.21.0-r5 \|\| =2.21.0-r6 \|\| =2.22.0-r0 \|\| =2.22.0-r1 \|\| =2.23.0-r0 \|\| =2.24.0-r0 \|\| =2.24.0-r1 \|\| =2.24.0-r2 \|\| =2.24.0-r3 \|\| =2.25.0-r0 \|\| =2.25.0-r1 \|\| =2.25.1-r0 \|\| =2.25.1-r1 \|\| =2.25.1-r2 \|\| =2.25.1-r3 \|\| =2.25.1-r4 \|\| =2.26.0-r0 \|\| =2.26.0-r1 \|\| =2.26.0-r2 \|\| =2.27.1-r0 \|\| =2.28.1-r0 \|\| =2.28.1-r1 \|\| =2.28.1-r2 \|\| =2.28.2-r0 \|\| =2.28.2-r1 \|\| =2.29.0-r0 \|\| =2.3.0-r0 \|\| =2.30.0-r0 \|\| =2.31.0-r0 \|\| =2.31.0-r1 \|\| =2.31.0-r2 \|\| =2.32.2-r0 \|\| =2.32.3-r0 \|\| =2.4.3-r0 \|\| =2.5.1-r0 \|\| =2.5.2-r0 \|\| =2.6.0-r0 \|\| =2.7.0-r0 \|\| =2.8.1-r0 \|\| =2.9.1-r0 \|\| >=0 <2.32.4-r0	2.32.4-r0
alpine v3.22	py3-requests	=1.0.4-r0 \|\| =1.1.0-r0 \|\| =1.2.3-r0 \|\| =2.0.0-r0 \|\| =2.10.0-r0 \|\| =2.11.0-r0 \|\| =2.11.1-r0 \|\| =2.11.1-r1 \|\| =2.12.4-r0 \|\| =2.12.4-r1 \|\| =2.13.0-r0 \|\| =2.16.5-r0 \|\| =2.17.3-r0 \|\| =2.18.1-r0 \|\| =2.18.1-r1 \|\| =2.18.2-r0 \|\| =2.18.3-r0 \|\| =2.18.4-r0 \|\| =2.19.1-r0 \|\| =2.21.0-r0 \|\| =2.21.0-r1 \|\| =2.21.0-r2 \|\| =2.21.0-r3 \|\| =2.21.0-r4 \|\| =2.21.0-r5 \|\| =2.21.0-r6 \|\| =2.22.0-r0 \|\| =2.22.0-r1 \|\| =2.23.0-r0 \|\| =2.24.0-r0 \|\| =2.24.0-r1 \|\| =2.24.0-r2 \|\| =2.24.0-r3 \|\| =2.25.0-r0 \|\| =2.25.0-r1 \|\| =2.25.1-r0 \|\| =2.25.1-r1 \|\| =2.25.1-r2 \|\| =2.25.1-r3 \|\| =2.25.1-r4 \|\| =2.26.0-r0 \|\| =2.26.0-r1 \|\| =2.26.0-r2 \|\| =2.27.1-r0 \|\| =2.28.1-r0 \|\| =2.28.1-r1 \|\| =2.28.1-r2 \|\| =2.28.2-r0 \|\| =2.28.2-r1 \|\| =2.29.0-r0 \|\| =2.3.0-r0 \|\| =2.30.0-r0 \|\| =2.31.0-r0 \|\| =2.31.0-r1 \|\| =2.31.0-r2 \|\| =2.32.2-r0 \|\| =2.32.3-r0 \|\| =2.4.3-r0 \|\| =2.5.1-r0 \|\| =2.5.2-r0 \|\| =2.6.0-r0 \|\| =2.7.0-r0 \|\| =2.8.1-r0 \|\| =2.9.1-r0 \|\| >=0 <2.32.4-r0	2.32.4-r0
debian 11	requests	=2.25.1+dfsg-2 \|\| =2.27.1+dfsg-1 \|\| =2.28.1+dfsg-1 \|\| =2.31.0+dfsg-1 \|\| =2.31.0+dfsg-2 \|\| =2.32.3+dfsg-1 \|\| =2.32.3+dfsg-2 \|\| =2.32.3+dfsg-3 \|\| =2.32.3+dfsg-4 \|\| =2.32.3+dfsg-5 \|\| =2.32.4+dfsg-1 \|\| =2.32.5+dfsg-1	-
debian 12	requests	=2.28.1+dfsg-1 \|\| =2.31.0+dfsg-1 \|\| =2.31.0+dfsg-2 \|\| =2.32.3+dfsg-1 \|\| =2.32.3+dfsg-2 \|\| =2.32.3+dfsg-3 \|\| =2.32.3+dfsg-4 \|\| =2.32.3+dfsg-5 \|\| =2.32.4+dfsg-1 \|\| =2.32.5+dfsg-1	-
debian 13	requests	=2.32.3+dfsg-5 \|\| >=0 <2.32.3+dfsg-5+deb13u1	2.32.3+dfsg-5+deb13u1
debian 14	requests	=2.32.3+dfsg-5 \|\| >=0 <2.32.4+dfsg-1	2.32.4+dfsg-1
pypi	requests	>=0 <2.32.4	2.32.4
alpine v3.23	py3-requests	=1.0.4-r0 \|\| =1.1.0-r0 \|\| =1.2.3-r0 \|\| =2.0.0-r0 \|\| =2.10.0-r0 \|\| =2.11.0-r0 \|\| =2.11.1-r0 \|\| =2.11.1-r1 \|\| =2.12.4-r0 \|\| =2.12.4-r1 \|\| =2.13.0-r0 \|\| =2.16.5-r0 \|\| =2.17.3-r0 \|\| =2.18.1-r0 \|\| =2.18.1-r1 \|\| =2.18.2-r0 \|\| =2.18.3-r0 \|\| =2.18.4-r0 \|\| =2.19.1-r0 \|\| =2.21.0-r0 \|\| =2.21.0-r1 \|\| =2.21.0-r2 \|\| =2.21.0-r3 \|\| =2.21.0-r4 \|\| =2.21.0-r5 \|\| =2.21.0-r6 \|\| =2.22.0-r0 \|\| =2.22.0-r1 \|\| =2.23.0-r0 \|\| =2.24.0-r0 \|\| =2.24.0-r1 \|\| =2.24.0-r2 \|\| =2.24.0-r3 \|\| =2.25.0-r0 \|\| =2.25.0-r1 \|\| =2.25.1-r0 \|\| =2.25.1-r1 \|\| =2.25.1-r2 \|\| =2.25.1-r3 \|\| =2.25.1-r4 \|\| =2.26.0-r0 \|\| =2.26.0-r1 \|\| =2.26.0-r2 \|\| =2.27.1-r0 \|\| =2.28.1-r0 \|\| =2.28.1-r1 \|\| =2.28.1-r2 \|\| =2.28.2-r0 \|\| =2.28.2-r1 \|\| =2.29.0-r0 \|\| =2.3.0-r0 \|\| =2.30.0-r0 \|\| =2.31.0-r0 \|\| =2.31.0-r1 \|\| =2.31.0-r2 \|\| =2.32.2-r0 \|\| =2.32.3-r0 \|\| =2.4.3-r0 \|\| =2.5.1-r0 \|\| =2.5.2-r0 \|\| =2.6.0-r0 \|\| =2.7.0-r0 \|\| =2.8.1-r0 \|\| =2.9.1-r0 \|\| >=0 <2.32.4-r0	2.32.4-r0

1-10 of 22

Aliases

1. CVE-2024-470812. NVD-2024-470813. OSV-ALPINE-2024-470814. OSV-2024-470815. OSV-DEBIAN-2024-470816. GHSA-9hjg-9r4m-mvj77. GCVE-2024-470818. SECURITY-CVE-2024-470819. SECURITY-TRACKER-CVE-2024-47081

References

1. https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj72. https://github.com/psf/requests/pull/69653. https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef4. https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env5. https://seclists.org/fulldisclosure/2025/Jun/26. http://seclists.org/fulldisclosure/2025/Jun/27. http://www.openwall.com/lists/oss-security/2025/06/03/118. http://www.openwall.com/lists/oss-security/2025/06/03/99. http://www.openwall.com/lists/oss-security/2025/06/04/110. http://www.openwall.com/lists/oss-security/2025/06/04/6