CVE-2024-47081
Public on 2025-06-09
Modified on 2025-06-10
Description
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | aws-cfn-bootstrap | No Fix Planned | ||
| Amazon Linux 2 - Core | aws-cfn-bootstrap | Pending Fix | ||
| Amazon Linux 2023 | awscli-2 | Pending Fix | ||
| Amazon Linux 1 | python-botocore | No Fix Planned | ||
| Amazon Linux 2023 | python-botocore | Pending Fix | ||
| Amazon Linux 1 | python-pip | No Fix Planned | ||
| Amazon Linux 2 - Core | python-pip | Pending Fix | ||
| Amazon Linux 1 | python-requests | No Fix Planned | ||
| Amazon Linux 2 - Core | python-requests | 2025-06-24 | ALAS2-2025-2907 | Fixed |
| Amazon Linux 2023 | python-requests | Pending Fix | ||
| Amazon Linux 2 - Core | python3-requests | 2025-06-24 | ALAS2-2025-2906 | Fixed |
| Amazon Linux 2023 | python3.11-pip | Pending Fix | ||
| Amazon Linux 2023 | python3.12-pip | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
| NVD | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |