Skip to content

Only use hostname to do netrc lookup instead of netloc#6965

Merged
sigmavirus24 merged 1 commit intopsf:mainfrom
sethmlarson:ghsa-9hjg-9r4m-mvj7
Jun 4, 2025
Merged

Only use hostname to do netrc lookup instead of netloc#6965
sigmavirus24 merged 1 commit intopsf:mainfrom
sethmlarson:ghsa-9hjg-9r4m-mvj7

Conversation

@sethmlarson
Copy link
Member

@sethmlarson sethmlarson commented Jun 4, 2025

Applies the patch generated from the GHSA which we couldn't merge as no one on the team had sufficient permissions.

@mweinelt mweinelt mentioned this pull request Jun 4, 2025
Merged
13 tasks
@sigmavirus24 sigmavirus24 merged commit 96ba401 into psf:main Jun 4, 2025
29 checks passed
@sethmlarson sethmlarson deleted the ghsa-9hjg-9r4m-mvj7 branch June 4, 2025 15:43
@danigm danigm mentioned this pull request Jun 5, 2025
Merged
@JimDabell JimDabell mentioned this pull request Jun 5, 2025
Closed
@PPsyrius PPsyrius mentioned this pull request Jun 10, 2025
Closed
9 tasks
amine-malloul-gira pushed a commit to gira-de/splat that referenced this pull request Jun 10, 2025
fix: Security: Update requests from 2.32.3 to 2.32.4 in /poetry.lock
11284d1 
This update addresses the following vulnerabilities:

- ### Impact  Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.  ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)).  ### References psf/requests#6965 https://seclists.org/fulldisclosure/2025/Jun/2
  - Aliases: CVE-2024-47081
  - Recommendation: 2.32.4
@amine-malloul-gira amine-malloul-gira mentioned this pull request Jun 10, 2025
Merged
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jun 10, 2025
@bmwiedemann
Update python-requests to version 2.32.3 / rev 86 via SR 1282999
d22f635 
https://build.opensuse.org/request/show/1282999
by user dgarcia + anag_factory
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
  (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
@deepsource-io deepsource-io bot mentioned this pull request Jun 11, 2025
Closed
@saidsef saidsef mentioned this pull request Jun 11, 2025
Closed
dylan-mp4 added a commit to dylan-mp4/soc-case-builder that referenced this pull request Jun 12, 2025
@dylan-mp4
Requests vulnerable to .netrc credentials leak via malicious URL patch
ed86d52 
psf/requests#6965

https://seclists.org/fulldisclosure/2025/Jun/2
This was referenced Jun 16, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@Phantominumm Phantominumm mentioned this pull request Jun 20, 2025
Merged
This was referenced Jun 20, 2025
Merged
Merged
This was referenced Jun 22, 2025
Merged
Merged
Merged
This was referenced Oct 20, 2025
Merged
Closed
This was referenced Nov 12, 2025
Open
Open
This was referenced Nov 19, 2025
Open
Open
@github-actions github-actions bot mentioned this pull request Nov 24, 2025
Merged
@github-actions github-actions bot mentioned this pull request Dec 1, 2025
Open
@eyalk007 eyalk007 mentioned this pull request Dec 3, 2025
Open
@Amruuuuuuuuu Amruuuuuuuuu mentioned this pull request Dec 11, 2025
Merged
sfosss

This comment was marked as spam.

Sign in to view

This was referenced Dec 17, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@tmyymmt tmyymmt mentioned this pull request Dec 30, 2025
Closed
Copilot AI mentioned this pull request Dec 30, 2025
Merged
luketainton pushed a commit to luketainton/repos_PwnedPW that referenced this pull request Jan 21, 2026
@luketainton
chore(security): Update dependency requests to v2.32.4 [SECURITY] (#322)
f4b5acc 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [requests](https://requests.readthedocs.io) ([source](https://github.com/psf/requests), [changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `2.32.3` → `2.32.4` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.3/2.32.4?slim=true) |

---

### Requests vulnerable to .netrc credentials leak via malicious URLs
[CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) / [GHSA-9hjg-9r4m-mvj7](GHSA-9hjg-9r4m-mvj7)

<details>
<summary>More information</summary>

#### Details
##### Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

##### Workarounds
For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)).

##### References
psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
- [https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7](https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7)
- [https://nvd.nist.gov/vuln/detail/CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081)
- [https://github.com/psf/requests/pull/6965](https://github.com/psf/requests/pull/6965)
- [https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef](https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef)
- [https://github.com/psf/requests](https://github.com/psf/requests)
- [https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)
- [https://seclists.org/fulldisclosure/2025/Jun/2](https://seclists.org/fulldisclosure/2025/Jun/2)
- [http://seclists.org/fulldisclosure/2025/Jun/2](http://seclists.org/fulldisclosure/2025/Jun/2)
- [http://www.openwall.com/lists/oss-security/2025/06/03/11](http://www.openwall.com/lists/oss-security/2025/06/03/11)
- [http://www.openwall.com/lists/oss-security/2025/06/03/9](http://www.openwall.com/lists/oss-security/2025/06/03/9)
- [http://www.openwall.com/lists/oss-security/2025/06/04/1](http://www.openwall.com/lists/oss-security/2025/06/04/1)
- [http://www.openwall.com/lists/oss-security/2025/06/04/6](http://www.openwall.com/lists/oss-security/2025/06/04/6)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

### [`v2.32.4`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2324-2025-06-10)

[Compare Source](psf/requests@v2.32.3...v2.32.4)

**Security**

- CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
  environment will retrieve credentials for the wrong hostname/machine from a
  netrc file.

**Improvements**

- Numerous documentation improvements

**Deprecations**

- Added support for pypy 3.11 for Linux and macOS.
- Dropped support for pypy 3.9 following its end of support.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi44OC4yIiwidXBkYXRlZEluVmVyIjoiNDIuODguMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->

Reviewed-on: https://git.tainton.uk/repos/PwnedPW/pulls/322
Co-authored-by: renovate[bot] <renovate-bot@git.tainton.uk>
Co-committed-by: renovate[bot] <renovate-bot@git.tainton.uk>
@github-actions github-actions bot mentioned this pull request Feb 2, 2026
Merged
maxwellsarpong pushed a commit to maxwellsarpong/events-app that referenced this pull request Feb 6, 2026
Fix: Vulnerable dependency: requests
41d374e 
### Impact  Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.  ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)).  ### References psf/requests#6965 https://seclists.org/fulldisclosure/2025/Jun/2
@maxwellsarpong maxwellsarpong mentioned this pull request Feb 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigmavirus24 sigmavirus24 sigmavirus24 approved these changes

@nateprewitt nateprewitt Awaiting requested review from nateprewitt

+1 more reviewer

@sfosss sfosss sfosss left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sethmlarson @sigmavirus24 @sfosss @nateprewitt