Plattform
python
Komponente
curl-cffi
Behoben in
0.15.1
0.15.0
CVE-2026-33752 describes a Server-Side Request Forgery (SSRF) vulnerability found in the curl-cffi Python library. This flaw allows attackers to redirect requests to internal services, potentially exposing sensitive data or gaining unauthorized access. The vulnerability impacts versions of curl-cffi up to and including 0.9.0b2, and a fix is available in version 0.15.0.
The SSRF vulnerability in curl-cffi arises from the library's failure to restrict requests to internal IP ranges and its automatic following of redirects through libcurl. An attacker can craft a malicious URL that redirects requests to internal resources, such as cloud metadata endpoints, which often contain sensitive information like API keys, instance details, and credentials. The TLS impersonation feature exacerbates the risk, as it can make these requests appear as legitimate browser traffic, potentially bypassing network security controls and firewalls. Successful exploitation could lead to data breaches, unauthorized access to internal systems, and potential compromise of the entire infrastructure.
CVE-2026-33752 was publicly disclosed on 2026-04-03. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks and identify exploitable services. While no public proof-of-concept (PoC) has been widely reported, the ease of SSRF exploitation suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Applications and services that rely on the curl-cffi Python library for making HTTP requests are at risk. This includes web applications, automation scripts, and any other Python-based tools that utilize curl-cffi. Specifically, environments where curl-cffi is used to interact with cloud metadata endpoints or other internal services are particularly vulnerable.
• python / library:
import subprocess
result = subprocess.run(['pip', 'show', 'curl-cffi'], capture_output=True, text=True)
if 'Version:' in result.stdout:
version = result.stdout.split('Version:')[1].strip().split('\n')[0]
if version <= '0.9.0b2':
print('Vulnerable version of curl-cffi detected!')• generic web:
curl -I https://your-application-url/ | grep -i 'Server:'• generic web:
curl -I https://your-application-url/ | grep -i 'X-Powered-By:'disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33752 is to upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting outbound network access for applications using curl-cffi, implementing strict URL validation and sanitization to prevent redirection to internal IPs, and utilizing a Web Application Firewall (WAF) to filter malicious requests. Monitor network traffic for suspicious outbound connections to internal IP addresses. After upgrading, verify the fix by attempting to access a known internal resource via curl-cffi and confirming that the request is blocked or denied.
Actualiza la librería curl_cffi a la versión 0.15.0 o superior para mitigar la vulnerabilidad. Esta actualización restringe las solicitudes a rangos de IP internos y corrige el problema de redirección, previniendo el acceso no autorizado a servicios internos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33752 is a HIGH severity SSRF vulnerability affecting the curl-cffi Python library, allowing attackers to redirect requests to internal services.
You are affected if you are using curl-cffi versions 0.9.0b2 or earlier. Upgrade to 0.15.0 or later to mitigate the risk.
Upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not possible, implement temporary workarounds like URL validation and WAF rules.
While no widespread exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation.
Refer to the project's repository or related security advisories for the official advisory regarding CVE-2026-33752.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.