Platform
python
Component
curl-cffi
Fixed in
0.15.1
0.15.0
CVE-2026-33752 describes a Server-Side Request Forgery (SSRF) vulnerability found in the curl-cffi Python library. This flaw allows attackers to redirect requests to internal services, potentially exposing sensitive data or gaining unauthorized access. The vulnerability impacts versions of curl-cffi up to and including 0.9.0b2, and a fix is available in version 0.15.0.
The SSRF vulnerability in curl-cffi arises from the library's failure to restrict requests to internal IP ranges and its automatic following of redirects through libcurl. An attacker can craft a malicious URL that redirects requests to internal resources, such as cloud metadata endpoints, which often contain sensitive information like API keys, instance details, and credentials. The TLS impersonation feature exacerbates the risk, as it can make these requests appear as legitimate browser traffic, potentially bypassing network security controls and firewalls. Successful exploitation could lead to data breaches, unauthorized access to internal systems, and potential compromise of the entire infrastructure.
CVE-2026-33752 was publicly disclosed on 2026-04-03. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks and identify exploitable services. While no public proof-of-concept (PoC) has been widely reported, the ease of SSRF exploitation suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33752 is to upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting outbound network access for applications using curl-cffi, implementing strict URL validation and sanitization to prevent redirection to internal IPs, and utilizing a Web Application Firewall (WAF) to filter malicious requests. Monitor network traffic for suspicious outbound connections to internal IP addresses. After upgrading, verify the fix by attempting to access a known internal resource via curl-cffi and confirming that the request is blocked or denied.
Update the curl_cffi library to version 0.15.0 or higher to mitigate the vulnerability. This update restricts requests to internal IP ranges and fixes the redirect issue, preventing unauthorized access to internal services.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33752 is a HIGH severity SSRF vulnerability affecting the curl-cffi Python library, allowing attackers to redirect requests to internal services.
You are affected if you are using curl-cffi versions 0.9.0b2 or earlier. Upgrade to 0.15.0 or later to mitigate the risk.
Upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not possible, implement temporary workarounds like URL validation and WAF rules.
While no widespread exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation.
Refer to the project's repository or related security advisories for the official advisory regarding CVE-2026-33752.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.