Requests vulnerable to .netrc credentials leak via malicious URLs

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

sigmavirus24 published to psf/requests Jun 9, 2025

Published by the National Vulnerability Database Jun 9, 2025

Published to the GitHub Advisory Database Jun 9, 2025

Reviewed Jun 9, 2025

Last updated Jun 9, 2025

Provide feedback