Executive Summary

CVE-2026-33752 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Python package curl_cffi, which is a binding for curl. Prior to version 0.15.0, curl_cffi does not restrict requests to internal IP ranges and automatically follows HTTP redirects using the underlying libcurl library. This means an attacker can supply a URL that redirects requests to internal network services, such as cloud metadata endpoints, which are normally protected.

Additionally, curl_cffi has a TLS impersonation feature that can make these malicious requests appear as legitimate browser traffic, potentially bypassing network controls that filter outbound requests based on TLS fingerprints.

This vulnerability allows attackers to bypass restrictions limiting requests to external URLs by redirecting requests to internal services without validation at the Python layer.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to access sensitive internal network services and cloud metadata endpoints that should normally be inaccessible from outside the network.

By exploiting this SSRF vulnerability, attackers can bypass outbound filtering mechanisms and network controls, potentially gaining unauthorized access to confidential information stored in internal services.

The TLS impersonation feature can help attackers evade detection by making malicious requests appear as legitimate browser traffic.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound requests made by curl_cffi that target internal IP ranges or cloud metadata endpoints, especially those that follow redirects automatically. Look for network traffic where curl_cffi is used to access internal IP addresses such as 127.0.0.1 or 169.254.0.0/16, or where TLS impersonation (e.g., impersonate="chrome") is employed, which may indicate attempts to bypass network controls.

To detect such activity, you can use network monitoring tools or commands to inspect outbound connections and HTTP redirects initiated by curl_cffi.

• Use packet capture tools like tcpdump or Wireshark to filter traffic from systems running curl_cffi and check for requests to internal IP ranges.
• Example tcpdump command to capture traffic to internal IP ranges: tcpdump -i any dst net 127.0.0.0/8 or dst net 169.254.0.0/16
• Check logs or use process monitoring to identify curl_cffi usage and inspect the URLs being requested.
• If possible, enable verbose or debug logging in curl_cffi to capture redirect chains and TLS impersonation usage.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade curl_cffi to version 0.15.0 or later, where this vulnerability is fixed by restricting requests to internal IP ranges and handling redirects securely.

Until the upgrade can be applied, consider implementing network-level controls to block outbound requests to internal IP ranges from systems running vulnerable versions of curl_cffi.

Additionally, monitor and restrict the use of TLS impersonation features in curl_cffi to prevent bypassing network filters.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to access sensitive internal network services and cloud metadata endpoints by bypassing outbound filtering mechanisms. Such unauthorized access to internal resources can lead to exposure of confidential information.

Exposure of sensitive data through this Server-Side Request Forgery (SSRF) vulnerability could potentially result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Furthermore, the ability to impersonate TLS fingerprints to evade network controls may hinder detection and response efforts, increasing the risk of data breaches and regulatory violations.

Useful 0 Not Useful 0