Plataforma
python
Componente
curl-cffi
Corregido en
0.15.1
0.15.0
CVE-2026-33752 describes a Server-Side Request Forgery (SSRF) vulnerability found in the curl-cffi Python library. This flaw allows attackers to redirect requests to internal services, potentially exposing sensitive data or gaining unauthorized access. The vulnerability impacts versions of curl-cffi up to and including 0.9.0b2, and a fix is available in version 0.15.0.
The SSRF vulnerability in curl-cffi arises from the library's failure to restrict requests to internal IP ranges and its automatic following of redirects through libcurl. An attacker can craft a malicious URL that redirects requests to internal resources, such as cloud metadata endpoints, which often contain sensitive information like API keys, instance details, and credentials. The TLS impersonation feature exacerbates the risk, as it can make these requests appear as legitimate browser traffic, potentially bypassing network security controls and firewalls. Successful exploitation could lead to data breaches, unauthorized access to internal systems, and potential compromise of the entire infrastructure.
CVE-2026-33752 was publicly disclosed on 2026-04-03. The vulnerability's SSRF nature makes it potentially attractive to attackers seeking to map internal networks and identify exploitable services. While no public proof-of-concept (PoC) has been widely reported, the ease of SSRF exploitation suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Applications and services that rely on the curl-cffi Python library for making HTTP requests are at risk. This includes web applications, automation scripts, and any other Python-based tools that utilize curl-cffi. Specifically, environments where curl-cffi is used to interact with cloud metadata endpoints or other internal services are particularly vulnerable.
• python / library:
import subprocess
result = subprocess.run(['pip', 'show', 'curl-cffi'], capture_output=True, text=True)
if 'Version:' in result.stdout:
version = result.stdout.split('Version:')[1].strip().split('\n')[0]
if version <= '0.9.0b2':
print('Vulnerable version of curl-cffi detected!')• generic web:
curl -I https://your-application-url/ | grep -i 'Server:'• generic web:
curl -I https://your-application-url/ | grep -i 'X-Powered-By:'disclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-33752 is to upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting outbound network access for applications using curl-cffi, implementing strict URL validation and sanitization to prevent redirection to internal IPs, and utilizing a Web Application Firewall (WAF) to filter malicious requests. Monitor network traffic for suspicious outbound connections to internal IP addresses. After upgrading, verify the fix by attempting to access a known internal resource via curl-cffi and confirming that the request is blocked or denied.
Actualiza la librería curl_cffi a la versión 0.15.0 o superior para mitigar la vulnerabilidad. Esta actualización restringe las solicitudes a rangos de IP internos y corrige el problema de redirección, previniendo el acceso no autorizado a servicios internos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-33752 is a HIGH severity SSRF vulnerability affecting the curl-cffi Python library, allowing attackers to redirect requests to internal services.
You are affected if you are using curl-cffi versions 0.9.0b2 or earlier. Upgrade to 0.15.0 or later to mitigate the risk.
Upgrade the curl-cffi library to version 0.15.0 or later. If upgrading is not possible, implement temporary workarounds like URL validation and WAF rules.
While no widespread exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation.
Refer to the project's repository or related security advisories for the official advisory regarding CVE-2026-33752.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.