Dependabot Security Alert
| Field |
Value |
| GHSA |
GHSA-9hjg-9r4m-mvj7 |
| CVE |
CVE-2024-47081 |
| Severity |
medium |
| Package |
requests (pip) |
| Affected version |
runtime |
| Summary |
Requests vulnerable to .netrc credentials leak via malicious URLs |
| Repository |
Qbeast-io/qbeast-spark |
Description
Impact
Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.
Workarounds
For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).
References
psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2
Alert link
View on GitHub
Automatically created by the Vanta/Dependabot → ZenHub sync pipeline
GHSA: GHSA-9hjg-9r4m-mvj7
Dependabot Security Alert
GHSA-9hjg-9r4m-mvj7CVE-2024-47081mediumrequests(pip)runtimeQbeast-io/qbeast-sparkDescription
Impact
Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.
Workarounds
For older versions of Requests, use of the .netrc file can be disabled with
trust_env=Falseon your Requests Session (docs).References
psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2
Alert link
View on GitHub
Automatically created by the Vanta/Dependabot → ZenHub sync pipeline
GHSA:
GHSA-9hjg-9r4m-mvj7