VYPR
High severity8.6NVD Advisory· Published Apr 6, 2026· Updated Apr 9, 2026

CVE-2026-33752

CVE-2026-33752

Description

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
curl_cffiPyPI
< 0.15.00.15.0

Affected products

6
  • cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*+ 4 more
    • cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta1:*:*:*:python:*:*
    • cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta2:*:*:*:python:*:*
    • cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta3:*:*:*:python:*:*
    • cpe:2.3:a:lexiforest:curl_cffi:0.15.0:beta4:*:*:*:python:*:*
    • cpe:2.3:a:lexiforest:curl_cffi:*:*:*:*:*:python:*:*range: <0.15.0
  • ghsa-coords
    Range: < 0.15.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.