CVE-2026-33752Server-Side Request Forgery in Curl Cffi

CWE-918Server-Side Request Forgery5 documents5 sources
Severity
8.6HIGHNVD
GHSA7.5OSV7.5
EPSS
0.0%
top 97.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Lexiforest Curl Cffi
Timeline
PublishedApr 6

Description

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages3 packages

CVEListV5lexiforest/curl_cffi< 0.15.0
NVDlexiforest/curl_cffi< 0.15.0+1
PyPIlexiforest/curl_cffi< 0.15.0

🔴Vulnerability Details

3
CVEList
Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)2026-04-06
OSV
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)2026-04-03
GHSA
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)2026-04-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-33752 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33752 — Server-Side Request Forgery | cvebase