Critical severity9.8NVD Advisory· Published Nov 13, 2017· Updated May 13, 2026

CVE-2017-0906

Description

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result in compromise of API keys or other critical resources.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
recurlyPyPI	>= 2.6.0, < 2.6.2	2.6.2
recurlyPyPI	>= 2.5.0, < 2.5.1	2.5.1
recurlyPyPI	>= 2.4.0, < 2.4.5	2.4.5
recurlyPyPI	>= 2.3.0, < 2.3.1	2.3.1
recurlyPyPI	>= 2.2.0, < 2.2.22	2.2.22
recurlyPyPI	>= 2.1.0, < 2.1.16	2.1.16
recurlyPyPI	< 2.0.5	2.0.5

Affected products

Recurly/recurly python modulev5
Range: Versions before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2
Recurly/Recurly Client Python5 versions
cpe:2.3:a:recurly:recurly_client_python:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:recurly:recurly_client_python:*:*:*:*:*:*:*:*range: >=2.0.0,<=2.0.4
- cpe:2.3:a:recurly:recurly_client_python:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:recurly:recurly_client_python:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:recurly:recurly_client_python:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:recurly:recurly_client_python:2.6.1:*:*:*:*:*:*:*

Patches

049c74699ce9

Fix SSRF: do not use urljoin, quote uuids

https://github.com/recurly/recurly-client-pythonBenjamin EckelNov 9, 2017via ghsa

commit

1 file changed · +6 −6

recurly/resource.py+6 −6 modified

@@ -12,8 +12,7 @@
 import recurly.errors
 from recurly.link_header import parse_link_value
 from six.moves import http_client
-from six.moves.urllib.parse import urlencode, urljoin, urlsplit
-
+from six.moves.urllib.parse import urlencode, urlsplit, quote
 
 class Money(object):
 
@@ -338,7 +337,8 @@ def get(cls, uuid):
         can be directly requested with this method.
 
         """
-        url = urljoin(recurly.base_uri(), cls.member_path % (uuid,))
+        uuid = quote(str(uuid))
+        url = recurly.base_uri() + (cls.member_path % (uuid,))
         resp, elem = cls.element_for_url(url)
         return cls.from_element(elem)
 
@@ -606,7 +606,7 @@ def all(cls, **kwargs):
         parameters.
 
         """
-        url = urljoin(recurly.base_uri(), cls.collection_path)
+        url = recurly.base_uri() + cls.collection_path
         if kwargs:
             url = '%s?%s' % (url, urlencode(kwargs))
         return Page.page_for_url(url)
@@ -616,7 +616,7 @@ def count(cls, **kwargs):
         """Return a count of server side resources given
         filtering arguments in kwargs.
         """
-        url = urljoin(recurly.base_uri(), cls.collection_path)
+        url = recurly.base_uri() + cls.collection_path
         if kwargs:
             url = '%s?%s' % (url, urlencode(kwargs))
         return Page.count_for_url(url)
@@ -638,7 +638,7 @@ def _update(self):
         return self.put(self._url)
 
     def _create(self):
-        url = urljoin(recurly.base_uri(), self.collection_path)
+        url = recurly.base_uri() + self.collection_path
         return self.post(url)
 
     def put(self, url):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/recurly/recurly-client-python/commit/049c74699ce93cf126feff06d632ea63fba36742nvdPatchThird Party AdvisoryWEB
dev.recurly.com/page/python-updatesnvdVendor AdvisoryWEB
github.com/advisories/GHSA-38rv-5jqc-m2cvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-0906ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/recurly/PYSEC-2017-68.yamlghsaWEB
hackerone.com/reports/288635nvdPermissions RequiredWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000