Update dependency requests to v2.32.4 [SECURITY] #49

Merged

timatlee merged 1 commits from renovate/pypi-requests-vulnerability into main 2025-06-10 08:29:48 -06:00

Conversation 0 Commits 1 Files Changed 1 +1 -1

renovate-bot commented 2025-06-10 00:00:28 -06:00

Collaborator

Copy Link

This PR contains the following updates:

Package	Update	Change
requests (source, changelog)	patch	==2.32.3 -> ==2.32.4

---

Requests vulnerable to .netrc credentials leak via malicious URLs

CVE-2024-47081 / GHSA-9hjg-9r4m-mvj7

More information

Details

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7
• https://nvd.nist.gov/vuln/detail/CVE-2024-47081
• https://github.com/psf/requests/pull/6965
• https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
• https://github.com/psf/requests
• https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env
• https://seclists.org/fulldisclosure/2025/Jun/2
• http://seclists.org/fulldisclosure/2025/Jun/2
• http://www.openwall.com/lists/oss-security/2025/06/03/11
• http://www.openwall.com/lists/oss-security/2025/06/03/9
• http://www.openwall.com/lists/oss-security/2025/06/04/1
• http://www.openwall.com/lists/oss-security/2025/06/04/6

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

psf/requests (requests)

v2.32.4

Compare Source

Security

• CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
  environment will retrieve credentials for the wrong hostname/machine from a
  netrc file.

Improvements

• Numerous documentation improvements

Deprecations

• Added support for pypy 3.11 for Linux and macOS.
• Dropped support for pypy 3.9 following its end of support.

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Edmonton, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [requests](https://requests.readthedocs.io) ([source](https://github.com/psf/requests), [changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | patch | `==2.32.3` -> `==2.32.4` | --- ### Requests vulnerable to .netrc credentials leak via malicious URLs [CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) / [GHSA-9hjg-9r4m-mvj7](https://github.com/advisories/GHSA-9hjg-9r4m-mvj7) <details> <summary>More information</summary> #### Details ##### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ##### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ##### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2 #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7](https://github.com/psf/requests/security/advisories/GHSA-9hjg-9r4m-mvj7) - [https://nvd.nist.gov/vuln/detail/CVE-2024-47081](https://nvd.nist.gov/vuln/detail/CVE-2024-47081) - [https://github.com/psf/requests/pull/6965](https://github.com/psf/requests/pull/6965) - [https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef](https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef) - [https://github.com/psf/requests](https://github.com/psf/requests) - [https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env) - [https://seclists.org/fulldisclosure/2025/Jun/2](https://seclists.org/fulldisclosure/2025/Jun/2) - [http://seclists.org/fulldisclosure/2025/Jun/2](http://seclists.org/fulldisclosure/2025/Jun/2) - [http://www.openwall.com/lists/oss-security/2025/06/03/11](http://www.openwall.com/lists/oss-security/2025/06/03/11) - [http://www.openwall.com/lists/oss-security/2025/06/03/9](http://www.openwall.com/lists/oss-security/2025/06/03/9) - [http://www.openwall.com/lists/oss-security/2025/06/04/1](http://www.openwall.com/lists/oss-security/2025/06/04/1) - [http://www.openwall.com/lists/oss-security/2025/06/04/6](http://www.openwall.com/lists/oss-security/2025/06/04/6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-9hjg-9r4m-mvj7) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.32.4`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2324-2025-06-10) [Compare Source](https://github.com/psf/requests/compare/v2.32.3...v2.32.4) **Security** - CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. **Improvements** - Numerous documentation improvements **Deprecations** - Added support for pypy 3.11 for Linux and macOS. - Dropped support for pypy 3.9 following its end of support. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/Edmonton, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40OC4xMCIsInVwZGF0ZWRJblZlciI6IjQwLjQ4LjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate-bot added 1 commit 2025-06-10 00:00:29 -06:00

Update dependency requests to v2.32.4 [SECURITY] fa32fb77c6

timatlee merged commit e2be80c029 into main 2025-06-10 08:29:48 -06:00

timatlee referenced this issue from a commit 2025-06-10 08:29:50 -06:00

Merge pull request 'Update dependency requests to v2.32.4 [SECURITY]' (#49) from renovate/pypi-requests-vulnerability into main

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

renovate-bot timatlee

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: timatlee/cloudflare-ddns-docker-updated#49

No description provided.