Python
CVE-2026-33752
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1,922 pypi packages depend on curl-cffi (603 direct, 1,329 indirect)
Ecosystem-wide dependent count for version 0.15.0.
DescriptionGitHub Advisory
Summary
curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.
Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.
Details
The issue comes from how curl_cffi handles outbound requests
- User-supplied URLs are passed directly to libcurl without checking whether they resolve to internal IP ranges (e.g., 127.0.0.1, 169.254.0.0/16).
- Redirects are automatically followed (CURLOPT_FOLLOWLOCATION = 1) inside libcurl.
- There is no validation of redirect destinations at the Python layer.
This means that even if an application only allows requests to external URLs, an attacker can
- Provide a URL pointing to an attacker-controlled server
- Return a redirect response pointing to an internal service
- Have curl_cffi follow that redirect automatically
As a result, internal endpoints (such as cloud instance metadata APIs) can be accessed.
Additionally, curl_cffi supports TLS fingerprint impersonation (e.g., impersonate="chrome"). In environments where outbound requests are filtered based on TLS fingerprinting, this can make such requests harder to detect or block
This behavior is similar to previously reported redirect-based SSRF issues such as CVE-2025-68616, where redirects allowed access to unintended internal resources.
PoC
- Direct internal request
import curl_cffi
resp = curl_cffi.get("http://169.254.169.254/latest/meta-data/")
print(resp.text)- Redirect to internal service
Attacker server:
GET /test
→ 302 Location: http://169.254.169.254/latest/meta-data/Victim code:
import curl_cffi
resp = curl_cffi.get("https://attacker.example/test")
print(resp.text)Result
- Initial request goes to attacker server
- Redirect is returned
- libcurl follows the redirect automatically
- Internal metadata endpoint is accessed
- With TLS impersonation
import curl_cffi\
resp = curl_cffi.get(
"https://attacker.example/test",
impersonate="chrome")In some environments, this may help the request bypass TLS-based filtering controls.
Impact
An attacker who can control the requested URL may be able to:
- Access internal network services
- Reach cloud metadata endpoints and retrieve sensitive information
- Bypass certain outbound filtering mechanisms (depending on environment)
This corresponds to CWE-918 Server-Side Request Forgery.
AnalysisAI
Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.
Technical ContextAI
curl_cffi is a Python binding for libcurl that provides browser TLS fingerprinting capabilities. The vulnerability (CWE-918) stems from the library's design where user-controlled URLs are forwarded to the underlying libcurl engine without Python-layer validation of destination IP addresses or redirect targets. LibCurl's automatic redirect following (CURLOPT_FOLLOWLOCATION flag set to 1) operates below the Python abstraction layer, creating a blind spot where redirect chains can pivot from external attacker-controlled servers to internal RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or loopback interfaces (127.0.0.0/8). The TLS impersonation feature, while designed for legitimate web scraping and testing, generates ClientHello fingerprints matching popular browsers, potentially evading network security controls that allowlist browser-like traffic patterns while blocking non-browser HTTP clients.
RemediationAI
Monitor the official GitHub Security Advisory at https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp for vendor-released patch announcements with specific fixed version numbers; patch status not confirmed from available data at time of analysis. Until patched versions are available, implement application-layer URL validation before passing URLs to curl_cffi: parse and validate destination hostnames and IP addresses against allowlists, explicitly reject requests to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), loopback ranges (127.0.0.0/8), and IPv6 equivalents. Disable automatic redirect following where possible by reviewing curl_cffi options or implementing custom redirect handling with destination validation at each hop. For cloud deployments, enforce network-layer controls: configure security groups or firewall rules preventing egress to metadata service IPs (169.254.169.254), implement IMDSv2 requiring session tokens on AWS EC2 instances, and enable metadata service protection features on GCP and Azure. Consider replacing curl_cffi with libraries offering built-in SSRF protections or wrapping requests in a proxy service that validates all outbound destinations.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qw2m-4pqf-rmpp