Web3 Py
Monthly
Server-Side Request Forgery in web3.py 6.0.0b3 through 7.14.x and 8.0.0b1 enables malicious smart contracts to force the library to issue HTTP requests to arbitrary destinations via CCIP Read (EIP-3668) URL templates without destination validation. The vulnerability affects all applications using web3.py's .call() method against untrusted contract addresses, as CCIP Read is enabled by default, allowing attackers to target internal network services and cloud metadata endpoints. The issue is remedied in versions 7.15.0 and 8.0.0b2.
Server-Side Request Forgery in web3.py 6.0.0b3 through 7.14.x and 8.0.0b1 enables malicious smart contracts to force the library to issue HTTP requests to arbitrary destinations via CCIP Read (EIP-3668) URL templates without destination validation. The vulnerability affects all applications using web3.py's .call() method against untrusted contract addresses, as CCIP Read is enabled by default, allowing attackers to target internal network services and cloud metadata endpoints. The issue is remedied in versions 7.15.0 and 8.0.0b2.