CVE-2026-42175

Published: May 12, 2026Modified: May 13, 2026Deferred

6.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability: 2.2 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c

Source: security-advisories@github.com

https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5

Source: security-advisories@github.com

https://github.com/saleor/requests-hardened/releases/tag/v1.2.1

Source: security-advisories@github.com

https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh

Source: security-advisories@github.com

Timeline

No history available yet.