CVE-2026-33752
Published: 06 April 2026
Summary
CVE-2026-33752 is a high-severity SSRF (CWE-918) vulnerability in Lexiforest Curl Cffi. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SSRF vulnerability in curl_cffi prior to 0.15.0 by requiring timely identification, reporting, and patching of the flaw.
Requires validation of attacker-controlled URLs input to curl_cffi to block redirects to internal IP ranges and cloud metadata endpoints.
Monitors and controls communications at key internal boundaries to prevent unauthorized application access to sensitive internal services like metadata endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app library enables T1190 exploitation; direct access to cloud metadata endpoints facilitates T1522.
NVD Description
curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services…
more
such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.
Deeper analysisAI
CVE-2026-33752 is a server-side request forgery vulnerability (CWE-918) in curl_cffi, a Python binding for libcurl, affecting versions prior to 0.15.0. The issue arises because curl_cffi does not restrict HTTP requests to internal IP ranges and automatically follows redirects via the underlying libcurl implementation. This enables redirection from attacker-controlled URLs to sensitive internal services, such as cloud metadata endpoints. Furthermore, curl_cffi's TLS impersonation feature can make these requests mimic legitimate browser traffic, potentially bypassing network security controls.
The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating exploitation by unauthenticated remote attackers with low complexity and no user interaction. An attacker who controls a URL fetched by an application using vulnerable curl_cffi can trigger redirects to internal resources, achieving high-impact confidentiality breaches through unauthorized data access, such as instance metadata in cloud environments.
The vulnerability is fixed in curl_cffi version 0.15.0. Advisory details are available in the GitHub security advisory at https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp, which practitioners should consult for patching guidance and additional context.
Details
- CWE(s)