curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints.
In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 5
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Lexiforest Curl_Cffi
cpe:2.3:a:lexiforest:curl_cffi:*:*:*:*:*:python:*:*
|
— |
0.15.0
|
|
Lexiforest Curl_Cffi
cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*
|
— | — |
|
Lexiforest Curl_Cffi
cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta2:*:*:*:python:*:*
|
— | — |
|
Lexiforest Curl_Cffi
cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta3:*:*:*:python:*:*
|
— | — |
|
Lexiforest Curl_Cffi
cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta4:*:*:*:python:*:*
|
— | — |