curl_cffi Server-Side Request Forgery Vulnerability Allowing Internal Network Access

A server-side request forgery (SSRF) vulnerability has been identified in curl_cffi, a Python binding for curl, in versions through 0.15.0b4. The vulnerability arises because the library does not restrict requests to internal IP ranges and automatically follows redirects via libcurl. This allows an attacker to redirect requests to internal services, such as cloud metadata endpoints. Additionally, curl_cffi's TLS impersonation feature can make these requests appear as legitimate browser traffic, potentially bypassing certain network controls.

Impact

Exploitation of this vulnerability allows an attacker to access internal network services and cloud metadata endpoints, where sensitive information could be retrieved. Furthermore, the vulnerability could be used to bypass certain outbound filtering mechanisms, depending on the environment.

Reproduction

The vulnerability can be reproduced by sending a request to an attacker-controlled URL that returns a redirect to an internal service, such as a cloud metadata endpoint. This can be done using curl_cffi's get function, with the impersonate parameter set to 'chrome' to further disguise the request as legitimate browser traffic.

Remediation

Users are advised to update curl_cffi to version 0.15.0 or later.