CVE-2026-33752

Name of the Vulnerable Software and Affected Versions curl cffi (affected versions not specified)

Description curl cffi does not restrict requests to internal IP ranges and automatically follows redirects via libcurl. This allows an attacker-controlled URL to redirect requests to internal services, such as cloud metadata endpoints. Additionally, curl cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, potentially bypassing network controls. The issue arises because user-supplied URLs are passed directly to libcurl without validation of internal IP ranges, redirects are automatically followed, and there is no validation of redirect destinations at the Python layer. An attacker can provide a URL pointing to their server, which redirects to an internal service, allowing access to internal endpoints. The TLS fingerprint impersonation feature can further help bypass TLS-based filtering controls.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.