Requests-Hardened SSRF Bypass Vulnerability in Shared Address Space

A vulnerability in the requests-hardened library prior to version 1.2.1 allows for server-side request forgery (SSRF) bypass. The library's SSRF protection fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). This oversight can be exploited by attackers who supply arbitrary URLs to requests-hardened, potentially accessing internal services in environments like AWS EKS, where this address range is commonly used for pods. The vulnerability is environment-dependent, affecting only those deployments that use 100.64.0.0/10 for internal networking.

Impact

Exploitation of this vulnerability allows for SSRF bypass, enabling access to internal services within the 100.64.0.0/10 address range.

Reproduction

The vulnerability can be reproduced by using requests-hardened versions prior to 1.2.1 and sending a request that includes a URL pointing to an internal service within the 100.64.0.0/10 range. This can be done by simulating a scenario where the library's SSRF protection is bypassed, such as in an AWS EKS environment where this address range is used for pods.

Remediation

Users can upgrade to requests-hardened version 1.2.1 or later, which addresses the vulnerability by blocking the RFC 6598 range and other reserved addresses to prevent similar issues.