compliance-trestle CVE-2026-46380
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module.
Finding 1 (Critical): SSRF (CWE-918) The HTTPSFetcher._do_fetch() method passes a user-supplied URL directly to requests.get() without validation. This allows an attacker to perform Server-Side Request Forgery, targeting internal services or cloud metadata endpoints (e.g., 169.254.169.254).
Per rule 4.2.11 of the CVE CNA rules Finding 1 will be addressed in this advisory, while findings 2 & 3 will be addressed in separate advisories:
---
Multiple Path Traversal Vulnerabilities in Remote Fetching Subsystem
Finding 2 & 3 (High/Medium): Path Traversal (CWE-22) The caching logic for HTTPSFetcher and LocalFetcher fails to sanitize URI paths, allowing for arbitrary file reads via file:// or writing cached files outside the intended directory.
Impact: > These vulnerabilities can be chained to exfiltrate sensitive cloud credentials or compromise CI/CD environments.
Reproduction: > Please see the attached poc_ssrf_and_path_traversal.py and terminal_output.txt. 13 exploit vectors have been verified locally.
compliance-trestle_audit_2026-03-30.pdf poc_ssrf_and_path_traversal.py terminal_output.txt
AnalysisAI
Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.
Technical ContextAI
compliance-trestle (pkg:pip/compliance-trestle) is an OSCAL (Open Security Controls Assessment Language) automation framework used in compliance and CI/CD workflows. The vulnerable code resides in trestle/core/remote/cache.py, specifically in the HTTPSFetcher._do_fetch() method, which invokes Python's requests.get() with an unvalidated caller-supplied URL. CWE-918 (Server-Side Request Forgery) applies: the server-side process makes outbound HTTP requests to destinations the attacker controls, bypassing network controls that filter inbound traffic. The same module also contains path traversal flaws (CWE-22) in the HTTPSFetcher and LocalFetcher caching logic (tracked in separate CVEs per the advisory), which can be chained with this SSRF to read or write files outside the intended cache directory. The patched code introduces a two-tier SSRF defense: hard-blocking of loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints; and optional blocking of RFC 1918 private ranges via TRESTLE_BLOCK_PRIVATE_IPS=true.
RemediationAI
Upgrade compliance-trestle to version 4.0.3 (for 4.x users) or 3.12.2 (for 3.x users) - these are the vendor-confirmed fixed releases per GHSA-w76h-q7c6-jpjp. Patch commits are available at https://github.com/oscal-compass/compliance-trestle/commit/53de5e75332888ea54f5da41d4c7859bb1d608e1 and https://github.com/oscal-compass/compliance-trestle/commit/5c65c5926fe7ca908b9c1d281f904e7d97ba8310. For environments that cannot patch immediately, set the environment variable TRESTLE_BLOCK_PRIVATE_IPS=true to block RFC 1918 ranges in addition to the hard-blocked loopback and cloud metadata endpoints introduced in the fix. As a compensating control, restrict the network egress of the process running trestle so it cannot reach 169.254.169.254 or other metadata endpoints - most cloud providers support host-level firewall rules or IMDSv2 enforcement (AWS) that can block unauthenticated metadata access as a defense-in-depth measure, though this does not fix the underlying code flaw. Audit CI/CD pipeline configuration files for externally controlled URL inputs to trestle fetch operations.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w76h-q7c6-jpjp