{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33752", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.125Z", "datePublished": "2026-04-06T15:01:44.844Z", "dateUpdated": "2026-04-06T15:40:54.380Z"}, "containers": {"cna": {"title": "Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp"}], "affected": [{"vendor": "lexiforest", "product": "curl_cffi", "versions": [{"version": "< 0.15.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:01:44.844Z"}, "descriptions": [{"lang": "en", "value": "curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi\u2019s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0."}], "source": {"advisory": "GHSA-qw2m-4pqf-rmpp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:34:30.230660Z", "id": "CVE-2026-33752", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:40:54.380Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33752", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:34:30.230660Z"}}}], "references": [{"url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:34:37.548Z"}}], "cna": {"title": "Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)", "source": {"advisory": "GHSA-qw2m-4pqf-rmpp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "lexiforest", "product": "curl_cffi", "versions": [{"status": "affected", "version": "< 0.15.0"}]}], "references": [{"url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp", "name": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi\u2019s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:01:44.844Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33752", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:40:54.380Z", "dateReserved": "2026-03-23T18:30:14.125Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:01:44.844Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lexiforest:curl_cffi:*:*:*:*:*:python:*:*", "matchCriteriaId": "5FEECC54-A1DD-4B1C-B8AF-D7DA6004B6C4", "versionEndExcluding": "0.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*", "matchCriteriaId": "3E631217-0FE4-4470-B758-2869B22A9331", "vulnerable": true}, {"criteria": "cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta2:*:*:*:python:*:*", "matchCriteriaId": "AFB5A6A0-1EBE-4059-8105-C96CDAB06EE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta3:*:*:*:python:*:*", "matchCriteriaId": "99E5BB3A-55C5-40C5-9952-C2F9DAB5B0B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta4:*:*:*:python:*:*", "matchCriteriaId": "79ECE465-3520-45F5-B537-98A85A186CF0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi\u2019s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0."}], "id": "CVE-2026-33752", "lastModified": "2026-04-09T18:10:21.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:34.140", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.15.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "curl_cffi", "source": "cna", "vendor": "lexiforest"}, "product": "curl_cffi", "vendor": "lexiforest"}], "analysis": {"en": {"generated_at": "2026-04-09T19:53:02.819878+00:00", "value": {"mitigation_remediation": ["Upgrade curl_cffi to version 0.15.0 or later", "Modify application logic to prevent automatic redirects to untrusted URLs", "Disable or restrict the TLS impersonation feature if upgrade is not immediately possible", "Implement network\u2011level blocking of outbound connections to internal IP ranges from the host running curl_cffi", "Monitor outbound traffic for unexpected redirects to internal addresses"], "summary": {"action": "Immediate Patch", "impact": "Internal Network Access via SSRF"}, "threat_synthesis": {"affected_systems": "All installations of the lexiforest curl_cffi package that are earlier than version 0.15.0\u2014including the 0.15.0 beta releases (beta1 through beta4)\u2014are affected. The issue is resolved in version 0.15.0 and later, which implements restrictions on target IP ranges and disables automatic redirect following for untrusted URLs.", "description_and_impact": "curl_cffi, a Python binding for libcurl, contains a Server\u2011Side Request Forgery weakness (CWE\u2011918) that allows an attacker\u2011controlled URL to be requested without any restriction on internal address ranges. The library automatically follows HTTP redirects, so a malicious link can redirect traffic to internal services such as cloud metadata endpoints. In addition, curl_cffi\u2019s TLS impersonation feature can make the outbound request appear as legitimate browser traffic, potentially evading network controls that rely on client certificates or TLS fingerprint checks. This flaw enables an attacker to discover and interact with internal resources that should otherwise remain isolated from external inputs.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.6, indicating high severity, while the EPSS score is below 1%, suggesting that exploit attempts are currently rare. It is not listed in the CISA KEV catalog. The attack vector is remote: an attacker supplies a crafted URL that curl_cffi follows, resulting in internal service exposure and possible bypass of network controls via TLS impersonation. Successful exploitation allows an adversary to gather internal host information or interact with restricted services, potentially escalating privileges if those services are further compromised."}}}}, "created": "2026-04-06T20:14:17.168239+00:00", "updated": "2026-04-10T09:45:15.455317+00:00", "vendors": ["lexiforest", "lexiforest$PRODUCT$curl_cffi"]}