Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on web3 (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0b3.
DescriptionGitHub Advisory
web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation. CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in. This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that performs eth_call / .call() against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. This vulnerability is fixed in 7.15.0 and 8.0.0b2.
AnalysisAI
Server-Side Request Forgery in web3.py 6.0.0b3 through 7.14.x and 8.0.0b1 enables malicious smart contracts to force the library to issue HTTP requests to arbitrary destinations via CCIP Read (EIP-3668) URL templates without destination validation. The vulnerability affects all applications using web3.py's .call() method against untrusted contract addresses, as CCIP Read is enabled by default, allowing attackers to target internal network services and cloud metadata endpoints. The issue is remedied in versions 7.15.0 and 8.0.0b2.
Technical ContextAI
web3.py is a Python library for interacting with Ethereum blockchain nodes via JSON-RPC. It implements CCIP Read (Canonical Contract Interface Profile Read, defined in EIP-3668), which allows smart contracts to specify offchain data sources through the offchain_lookup_payload structure. When a contract invokes the offchain lookup mechanism, the library constructs HTTP requests using URLs supplied directly by the contract code after simple template substitution for {sender} and {data} placeholders. The root cause (CWE-918: Server-Side Request Forgery) stems from the absence of URL validation or destination allowlisting before these HTTP requests are dispatched. The vulnerability is particularly severe because CCIP Read is globally enabled by default (global_ccip_read_enabled = True) on all provider instances, meaning developers must explicitly disable the feature to protect their applications-rather than requiring explicit opt-in for the offchain lookup mechanism. The affected CPE range is ethereum:web3.py versions 6.0.0b3 through before 7.15.0, and 8.0.0b2 specifically.
RemediationAI
Upgrade web3.py to version 7.15.0 or later for the 7.x series, or 8.0.0b2 or later for the 8.x series. For immediate mitigation on older versions, disable CCIP Read globally by setting global_ccip_read_enabled = False on all provider instances, though this may impact functionality for legitimate offchain lookups. The upstream fix (commit b1c57bb0a124359c9902daaefab4d8af7c3c4c1e) validates destination URLs before issuing HTTP requests. Applications should review their web3.py dependencies and prioritize patching in backend services, indexers, and APIs that process calls to user-influenced or untrusted smart contracts. Additional hardening includes restricting outbound network access from web3.py processes via firewall rules or runtime policies to block requests to internal network ranges and cloud metadata endpoints (e.g., 169.254.169.254, 127.0.0.1). The official patch is available at https://github.com/ethereum/web3.py/security/advisories/GHSA-5hr4-253g-cpx2.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21000