GHSA-vh75-fwv3-pqrh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vh75-fwv3-pqrh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-vh75-fwv3-pqrh/GHSA-vh75-fwv3-pqrh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vh75-fwv3-pqrh
- Aliases
-
- CVE-2026-42175
- Published
- 2026-05-05T19:52:45Z
- Modified
- 2026-05-13T16:38:22.410482Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- requests-hardened is Vulnerable to Server-Side Request Forgery
- Details
-
The SSRF protection in
requests-hardenedprior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs torequests-hardenedcould exploit this gap to access internal services hosted within100.64.0.0/10. This is for example relevant in environments such as AWS EKS where100.64.0.0/10is commonly used as the default pod CIDR.The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected.
The issue is resolved in version 1.2.1 by extending the IP filtering logic to explicitly block the RFC 6598 range in addition to standard private addresses, as well as blocking all other reserved addresses (such as multicast) to prevent the re-occurrence of similar issues.
Version 1.2.1 is now blocking the following CIDRs:
192.88.99.0/24- 6to4 relay anycast100.64.0.0/10- CG-NAT5f00::/16- IPv6 Segment Routing64:ff9b::/96- used for IPv6 & IPv4 translation (NAT64)2001:20::/28- ORCHIDv2 (overlay identifiers)224.0.0.0/4- multicastff00::/8- multicast
Resources
- https://github.com/python/cpython/issues/119812
- https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5 - the fix itself
- https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c - follow up, adding additional support for outdated Python versions (
3.11.9and3.10.11instead of only3.11.15and3.10.20) - https://github.com/saleor/requests-hardened/releases/tag/v1.2.1
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "github_reviewed_at": "2026-05-05T19:52:45Z", "nvd_published_at": "2026-05-12T18:17:24Z", "cwe_ids": [ "CWE-918" ] }- References
-
- https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh
- https://nvd.nist.gov/vuln/detail/CVE-2026-42175
- https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c
- https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5
- https://github.com/saleor/requests-hardened
- https://github.com/saleor/requests-hardened/releases/tag/v1.2.1
Affected packages
PyPI / requests-hardened
Package
- Name
- requests-hardened
- View open source insights on deps.dev
- Purl
- pkg:pypi/requests-hardened