CVE-2026-42175

Name of the Vulnerable Software and Affected Versions requests-hardened versions prior to 1.2.1

Description The Server-Side Request Forgery (SSRF) protection fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker capable of supplying arbitrary URLs can exploit this gap to access internal services hosted within that range. This is particularly relevant in environments like AWS EKS, where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact depends on the environment; deployments using this CIDR range for internal networking are exposed to SSRF bypass.

Recommendations Update to version 1.2.1.