requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598

requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .

Problem type

CWE-918: Server-Side Request Forgery (SSRF)

Affected products

saleor

requests-hardened

< 1.2.1 - AFFECTED

References

https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh

https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh

x_refsource_CONFIRM

https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c

https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c

x_refsource_MISC

https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5

https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5

x_refsource_MISC

https://github.com/saleor/requests-hardened/releases/tag/v1.2.1

https://github.com/saleor/requests-hardened/releases/tag/v1.2.1

x_refsource_MISC

GitHub Security Advisories

GHSA-vh75-fwv3-pqrh

requests-hardened is Vulnerable to Server-Side Request Forgery

https://github.com/advisories/GHSA-vh75-fwv3-pqrh

The SSRF protection in requests-hardened prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR.

The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected.

The issue is resolved in version 1.2.1 by extending the IP filtering logic to explicitly block the RFC 6598 range in addition to standard private addresses, as well as blocking all other reserved addresses (such as multicast) to prevent the re-occurrence of similar issues.

Version 1.2.1 is now blocking the following CIDRs:

192.88.99.0/24 - 6to4 relay anycast
100.64.0.0/10 - CG-NAT
5f00::/16 - IPv6 Segment Routing
64:ff9b::/96 - used for IPv6 & IPv4 translation (NAT64)
2001:20::/28 - ORCHIDv2 (overlay identifiers)
224.0.0.0/4 - multicast
ff00::/8 - multicast

Resources

https://github.com/python/cpython/issues/119812
https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5 - the fix itself
https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c - follow up, adding additional support for outdated Python versions (3.11.9 and 3.10.11 instead of only 3.11.15 and 3.10.20)
https://github.com/saleor/requests-hardened/releases/tag/v1.2.1

github.com

https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh

github.com

https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c

github.com

https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5

github.com

https://github.com/saleor/requests-hardened/releases/tag/v1.2.1

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-42175

github.com

https://github.com/advisories/GHSA-vh75-fwv3-pqrh

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-42175

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-42175",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T17:52:09.138Z",
    "dateReserved": "2026-04-25T01:53:21.582Z",
    "datePublished": "2026-05-12T17:52:09.138Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T17:52:09.138Z"
      },
      "title": "requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened  RFC 6598",
      "descriptions": [
        {
          "lang": "en",
          "value": "requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in ."
        }
      ],
      "affected": [
        {
          "vendor": "saleor",
          "product": "requests-hardened",
          "versions": [
            {
              "version": "< 1.2.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh",
          "name": "https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c",
          "name": "https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5",
          "name": "https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/saleor/requests-hardened/releases/tag/v1.2.1",
          "name": "https://github.com/saleor/requests-hardened/releases/tag/v1.2.1",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "HIGH",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}