Skip to content
This repository was archived by the owner on Jun 5, 2026. It is now read-only.

chore(deps): update dependency requests to v2.32.4 [security]#4

Closed
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-requests-vulnerability
Closed

chore(deps): update dependency requests to v2.32.4 [security]#4
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-requests-vulnerability

Conversation

@renovate-sh-app

@renovate-sh-app renovate-sh-app Bot commented Oct 13, 2025

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
requests (source, changelog) 2.32.3 -> 2.32.4 age confidence

Requests vulnerable to .netrc credentials leak via malicious URLs

CVE-2024-47081 / GHSA-9hjg-9r4m-mvj7

More information

Details

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

psf/requests (requests)

v2.32.4

Compare Source

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted
    environment will retrieve credentials for the wrong hostname/machine from a
    netrc file.

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS.
  • Dropped support for pypy 3.9 following its end of support.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
renovate-sh-app Bot requested review from a team October 13, 2025 18:11
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency requests to v2.32.4 [security] chore(deps): update dependency requests to v2.32.4 [security] - autoclosed Nov 24, 2025
@renovate-sh-app renovate-sh-app Bot closed this Nov 24, 2025
@renovate-sh-app
renovate-sh-app Bot deleted the renovate/pypi-requests-vulnerability branch November 24, 2025 18:38
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency requests to v2.32.4 [security] - autoclosed chore(deps): update dependency requests to v2.32.4 [security] Nov 24, 2025
@renovate-sh-app renovate-sh-app Bot reopened this Nov 24, 2025
@renovate-sh-app
renovate-sh-app Bot force-pushed the renovate/pypi-requests-vulnerability branch 2 times, most recently from e76365a to 11dfbfc Compare November 24, 2025 21:31
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency requests to v2.32.4 [security] chore(deps): update dependency requests to v2.32.4 [security] - autoclosed Nov 27, 2025
@renovate-sh-app renovate-sh-app Bot closed this Nov 27, 2025
| datasource | package  | from   | to     |
| ---------- | -------- | ------ | ------ |
| pypi       | requests | 2.32.3 | 2.32.4 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency requests to v2.32.4 [security] - autoclosed chore(deps): update dependency requests to v2.32.4 [security] Nov 27, 2025
@renovate-sh-app renovate-sh-app Bot reopened this Nov 27, 2025
@renovate-sh-app
renovate-sh-app Bot force-pushed the renovate/pypi-requests-vulnerability branch 2 times, most recently from 11dfbfc to 85a31b5 Compare November 27, 2025 06:13
@dsotirakis dsotirakis closed this Jun 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant