High severity8.6NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026
CVE-2026-33752
CVE-2026-33752
Description
curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
curl_cffiPyPI | < 0.15.0 | 0.15.0 |
Affected products
6cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*+ 4 more
- cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*
- cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta2:*:*:*:python:*:*
- cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta3:*:*:*:python:*:*
- cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta4:*:*:*:python:*:*
- cpe:2.3:a:lexiforest:curl_cffi:*:*:*:*:*:python:*:*range: <0.15.0
Patches
Vulnerability mechanics
References
3- github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmppnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-qw2m-4pqf-rmppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33752ghsaADVISORY
News mentions
0No linked articles in our index yet.