GHSA-VH75-FWV3-PQRH

Vulnerability from github – Published: 2026-05-05 19:52 – Updated: 2026-05-13 16:26
VLAI
Summary
requests-hardened is Vulnerable to Server-Side Request Forgery
Details

The SSRF protection in requests-hardened prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR.

The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected.

The issue is resolved in version 1.2.1 by extending the IP filtering logic to explicitly block the RFC 6598 range in addition to standard private addresses, as well as blocking all other reserved addresses (such as multicast) to prevent the re-occurrence of similar issues.

Version 1.2.1 is now blocking the following CIDRs:

  • 192.88.99.0/24 - 6to4 relay anycast
  • 100.64.0.0/10 - CG-NAT
  • 5f00::/16 - IPv6 Segment Routing
  • 64:ff9b::/96 - used for IPv6 & IPv4 translation (NAT64)
  • 2001:20::/28 - ORCHIDv2 (overlay identifiers)
  • 224.0.0.0/4 - multicast
  • ff00::/8 - multicast

Resources

  • https://github.com/python/cpython/issues/119812
  • https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5 - the fix itself
  • https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c - follow up, adding additional support for outdated Python versions (3.11.9 and 3.10.11 instead of only 3.11.15 and 3.10.20)
  • https://github.com/saleor/requests-hardened/releases/tag/v1.2.1
Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "requests-hardened"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T19:52:45Z",
    "nvd_published_at": "2026-05-12T18:17:24Z",
    "severity": "MODERATE"
  },
  "details": "The SSRF protection in `requests-hardened` prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (`100.64.0.0/10`). An attacker who can supply arbitrary URLs to `requests-hardened` could exploit this gap to access internal services hosted within `100.64.0.0/10`. This is for example relevant in environments such as AWS EKS where `100.64.0.0/10` is commonly used as the default pod CIDR.\n\nThe impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected.\n\nThe issue is resolved in version 1.2.1 by extending the IP filtering logic to explicitly block the RFC 6598 range in addition to standard private addresses, as well as blocking all other reserved addresses (such as multicast) to prevent the re-occurrence of similar issues.\n\nVersion 1.2.1 is now blocking the following CIDRs:\n\n- `192.88.99.0/24` - 6to4 relay anycast\n- `100.64.0.0/10` - CG-NAT\n- `5f00::/16` - IPv6 Segment Routing\n- `64:ff9b::/96` - used for IPv6 \u0026 IPv4 translation (NAT64)\n- `2001:20::/28` - ORCHIDv2 (overlay identifiers)\n- `224.0.0.0/4` - multicast\n- `ff00::/8` - multicast\n\n## Resources\n\n- https://github.com/python/cpython/issues/119812\n- https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5 - the fix itself\n- https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c - follow up, adding additional support for outdated Python versions (`3.11.9` and `3.10.11` instead of only `3.11.15` and `3.10.20`)\n- https://github.com/saleor/requests-hardened/releases/tag/v1.2.1",
  "id": "GHSA-vh75-fwv3-pqrh",
  "modified": "2026-05-13T16:26:26Z",
  "published": "2026-05-05T19:52:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saleor/requests-hardened"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/requests-hardened/releases/tag/v1.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "requests-hardened is Vulnerable to Server-Side Request Forgery"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.