CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4652 vulnerabilities reference this CWE, most recent first.
GHSA-5HJ8-2W5C-MMPR
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata.
{
"affected": [],
"aliases": [
"CVE-2026-53827"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:54Z",
"severity": "MODERATE"
},
"details": "OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata.",
"id": "GHSA-5hj8-2w5c-mmpr",
"modified": "2026-06-13T00:34:32Z",
"published": "2026-06-13T00:34:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53827"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-credential-exposure-via-model-supplied-loopback-urls-in-message-action-forwarding"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5HJ8-XGX5-P37F
Vulnerability from github – Published: 2024-08-05 12:31 – Updated: 2025-03-13 15:32** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench.
This issue affects Apache IoTDB Workbench: from 0.13.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2024-36448"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T10:15:32Z",
"severity": "HIGH"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench.\n\nThis issue affects Apache IoTDB Workbench: from 0.13.0.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-5hj8-xgx5-p37f",
"modified": "2025-03-13T15:32:36Z",
"published": "2024-08-05T12:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36448"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/d19p0vsm7nogp43q9m3tzm5jl6mzjj1x"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/08/05/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5HJH-C26M-XW8W
Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-04 20:14ProxyScotch is a simple proxy server created for hoppscotch.io. The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hoppscotch/proxyscotch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25850"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-04T20:14:02Z",
"nvd_published_at": "2022-05-01T16:15:00Z",
"severity": "HIGH"
},
"details": "ProxyScotch is a simple proxy server created for hoppscotch.io. The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.",
"id": "GHSA-5hjh-c26m-xw8w",
"modified": "2022-05-04T20:14:02Z",
"published": "2022-05-03T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25850"
},
{
"type": "WEB",
"url": "https://github.com/hoppscotch/proxyscotch/commit/de67380f62f907f201d75854b76024ba4885fab7"
},
{
"type": "PACKAGE",
"url": "https://github.com/hoppscotch/proxyscotch"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMHOPPSCOTCHPROXYSCOTCH-2435228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ProxyScotch is vulnerable to a server-side Request Forgery (SSRF)"
}
GHSA-5HMG-HCP5-2GMP
Vulnerability from github – Published: 2025-03-03 00:30 – Updated: 2025-03-03 00:30A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. Affected by this issue is the function sendNotice of the file src/main/java/com/futvan/z/erp/customer_notice/Customer_noticeAction.java of the component HTTP Request Handler. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-1833"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-02T22:15:34Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. Affected by this issue is the function sendNotice of the file src/main/java/com/futvan/z/erp/customer_notice/Customer_noticeAction.java of the component HTTP Request Handler. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-5hmg-hcp5-2gmp",
"modified": "2025-03-03T00:30:51Z",
"published": "2025-03-03T00:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1833"
},
{
"type": "WEB",
"url": "https://github.com/caigo8/CVE-md/blob/main/zz/zz_2024_8%E5%90%8E%E5%8F%B0SSRF.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.298100"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.298100"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.504833"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5HPP-R359-82QX
Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark allows Server Side Request Forgery. This issue affects Waymark: from n/a through 1.5.2.
{
"affected": [],
"aliases": [
"CVE-2025-32487"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T17:15:41Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Joe Waymark allows Server Side Request Forgery. This issue affects Waymark: from n/a through 1.5.2.",
"id": "GHSA-5hpp-r359-82qx",
"modified": "2026-04-01T18:34:35Z",
"published": "2025-04-09T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32487"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/waymark/vulnerability/wordpress-waymark-1-5-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HR4-253G-CPX2
Vulnerability from github – Published: 2026-04-04 06:38 – Updated: 2026-06-09 10:57Summary
web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation:
- No restriction to
https://(and no opt-in gate forhttp://) - No hostname or IP allowlist
- No blocking of private/reserved IP ranges (loopback, link-local, RFC1918)
- No redirect target validation (both
requestsandaiohttpfollow redirects by default)
CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in.
This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that performs eth_call / .call() against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints.
Why This Is a Vulnerability
The argument is not that CCIP Read itself is invalid or that web3.py should stop supporting EIP-3668. The issue is that, in server-side deployments (backends, indexers, bots, APIs), the current implementation doesn't provide destination policy controls, such as a validation/override hook, private-range blocking, or redirect target checks, which means contract controlled CCIP URLs can be used as an SSRF primitive.
This is consistent with EIP-3668's own security considerations, which recommends that client libraries "provide clients with a hook to override CCIP read calls, either by rewriting them to use a proxy service, or by denying them entirely" and that "this mechanism or another should be written so as to easily facilitate adding domains to allowlists or blocklists." The mitigations I'm suggesting are meant to align with that guidance without breaking CCIP Read support.
-
Default-on exposure. CCIP Read is enabled by default on all web3.py providers (
global_ccip_read_enabled = True). Users who never intend to use CCIP Read, and who may not even know the feature exists, are silently exposed. A feature that makes unsanitized outbound requests to attacker-controlled URLs should not be enabled by default without safety guardrails. -
Library vs. application responsibility. web3.py is a widely-used library. Expecting every downstream application to independently implement SSRF protections around
.call()is unreasonable, especially for a feature that fires automatically and invisibly on a specific revert pattern. Safe defaults at the library level are the standard expectation for any library that issues outbound HTTP requests to externally-controlled URLs.
Affected Code
Sync CCIP handler
File: web3/utils/exception_handling.py (lines 42-58)
Contract-controlled URLs are requested via requests with no destination validation:
session = requests.Session()
for url in offchain_lookup_payload["urls"]:
formatted_url = URI(
str(url)
.replace("{sender}", str(formatted_sender))
.replace("{data}", str(formatted_data))
)
try:
if "{data}" in url and "{sender}" in url:
response = session.get(formatted_url, timeout=DEFAULT_HTTP_TIMEOUT)
else:
response = session.post(
formatted_url,
json={"data": formatted_data, "sender": formatted_sender},
timeout=DEFAULT_HTTP_TIMEOUT,
)
(The request is issued before response validation; subsequent logic parses JSON and enforces a "data" field.)
Key observations:
- requests follows redirects by default (allow_redirects=True).
- No allow_redirects=False is set.
- No validation of formatted_url before the request.
- The placeholder check (if "{data}" in url) operates on the raw url value from the payload (before str() conversion), not on the already-formatted formatted_url. If url is not a plain str (e.g., a URI type), the in check may behave differently than intended.
Async CCIP handler
File: web3/utils/async_exception_handling.py (lines 45-63)
Same pattern with aiohttp:
session = ClientSession()
for url in offchain_lookup_payload["urls"]:
formatted_url = URI(
str(url)
.replace("{sender}", str(formatted_sender))
.replace("{data}", str(formatted_data))
)
try:
if "{data}" in url and "{sender}" in url:
response = await session.get(
formatted_url, timeout=ClientTimeout(DEFAULT_HTTP_TIMEOUT)
)
else:
response = await session.post(
formatted_url,
json={"data": formatted_data, "sender": formatted_sender},
timeout=ClientTimeout(DEFAULT_HTTP_TIMEOUT),
)
Key observations:
- aiohttp follows redirects by default.
- No redirect or destination validation.
- Same raw-url placeholder check issue as the sync handler.
Default-on invocation path
File: web3/providers/base.py (line 66) and web3/providers/async_base.py (line 79):
global_ccip_read_enabled: bool = True
File: web3/eth/eth.py (lines 222-266) and web3/eth/async_eth.py (lines 243-287):
The .call() method automatically invokes handle_offchain_lookup() / async_handle_offchain_lookup() when a contract reverts with OffchainLookup, up to ccip_read_max_redirects times (default: 4). No user interaction or explicit opt-in is required beyond the default configuration.
Security Impact
1. Blind SSRF (Primary Impact)
A malicious contract can supply URLs that cause the web3.py process to issue HTTP GET or POST requests to:
- Loopback services:
http://127.0.0.1:<port>/...,http://localhost/... - Cloud metadata endpoints:
http://169.254.169.254/latest/meta-data/iam/security-credentials/ - Internal network services: any RFC1918 address (
10.x.x.x,172.16-31.x.x,192.168.x.x) - Arbitrary external destinations
The request is made from the web3.py process. This alone constitutes SSRF -- the attacker controls the destination of an outbound request from the victim's infrastructure.
Note on response handling: The CCIP handler expects a JSON response containing a "data" field. If the target endpoint does not return valid JSON with this key, the handler raises Web3ValidationError or continues to the next URL. This means:
- The raw response body is not directly returned to the attacker in most cases (blind SSRF).
- However, the request itself is the primary threat: it can reach internal services, trigger side effects on internal APIs, and serve as a network probe.
- On AWS with IMDSv1, a GET to
http://169.254.169.254/...returns credentials in plaintext. While the CCIP handler would fail to parse this as JSON, the request itself reaches the metadata service. If an internal endpoint returns JSON containing a"data"field (or can be coerced to), the handler may accept it and use it in the on-chain callback, creating a potential exfiltration path.
2. Redirect-Based SSRF Amplification
Both requests and aiohttp follow HTTP redirects by default. The CCIP handlers use the final response without validating the final resolved URL.
- Sync:
web3/utils/exception_handling.py--session.get()with defaultallow_redirects=True - Async:
web3/utils/async_exception_handling.py--session.get()with default redirect following
A contract-supplied URL can point to an attacker-controlled server that issues a 302 redirect to http://169.254.169.254/... or any internal endpoint. This defeats naive URL-prefix checks that an application might add, expanding the SSRF surface.
3. Internal Network Probing
By varying the URLs supplied in the OffchainLookup revert payload, an attacker can:
- Probe internal network topology (open ports, reachable hosts) based on response timing and error behavior
- Trigger side effects on internal APIs that accept GET or POST requests without authentication
- Map cloud infrastructure by querying metadata endpoints
4. POST-Based SSRF
When the contract-supplied URL does not contain both {sender} and {data} placeholders, the handler switches to session.post() with a JSON body. This means the attacker can cause the victim to issue POST requests with a controlled JSON body ({"data": ..., "sender": ...}) to arbitrary destinations, increasing the potential for triggering state-changing operations on internal services.
Proof of Concept
Prerequisites
- Python environment with
web3installed - No network access or blockchain connection required (the PoC calls the handler function directly)
Step 1: Start a local HTTP listener
python -m http.server 9999
Step 2: Run the reproduction script
python repro_ssrf.py
Step 3: Observe
The HTTP server logs will show an inbound request to a path like /SSRF_DETECTION_SUCCESS?sender=...&data=..., confirming that handle_offchain_lookup() issued an outbound HTTP request to the contract-supplied URL without any destination validation.
The script will then print an error (the local HTTP server does not return the expected JSON), but the request has already been sent -- the SSRF occurs before any response validation.
Reproduction script (repro_ssrf.py)
from web3.types import TxParams
from web3.utils.exception_handling import handle_offchain_lookup
def reproduce_ssrf():
target_address = "0x0000000000000000000000000000000000000001"
payload = {
"sender": target_address,
"callData": "0x1234",
"callbackFunction": "0x12345678",
"extraData": "0x90ab",
"urls": [
"http://127.0.0.1:9999/SSRF_DETECTION_SUCCESS?sender={sender}&data={data}"
],
}
transaction: TxParams = {"to": target_address}
print(f"Triggering CCIP Read handler with URL: {payload['urls'][0]}")
try:
handle_offchain_lookup(payload, transaction)
except Exception as e:
print(f"Expected failure after request was sent: {e}")
if __name__ == "__main__":
reproduce_ssrf()
Real-world attack scenario
In a production setting, the attacker would:
- Deploy a malicious contract that reverts with
OffchainLookup, supplying URLs pointing to internal services (e.g.,http://169.254.169.254/latest/meta-data/iam/security-credentials/). - Cause a backend service (indexer, API, bot) to call that contract via
eth_call/.call(). - web3.py automatically triggers CCIP Read, issuing the HTTP request from the backend's network context.
No special permissions or contract interactions beyond a standard eth_call are required.
Suggested Remediation
1. Restrict URL schemes (safe default)
Allow only https:// by default. Provide an explicit opt-in flag (e.g., ccip_read_allow_http=True) for http://.
2. Block private/reserved IP destinations by default
Before issuing the request, resolve the hostname and reject connections to:
127.0.0.0/8(loopback)169.254.0.0/16(link-local / cloud metadata)10.0.0.0/8,172.16.0.0/12,192.168.0.0/16(RFC1918)::1,fe80::/10(IPv6 loopback / link-local)0.0.0.0/8
3. Disable or validate redirects
Either:
- Set allow_redirects=False on the HTTP requests, or
- Validate each redirect target against the same destination policy before following it
4. Provide a URL validator hook
Allow users to supply a custom URL validation callback for CCIP Read URLs (e.g., a hostname allowlist, gateway pinning, or custom policy). This enables advanced users to configure CCIP Read for their specific trust model.
5. Consider stronger default safety signaling (or default-off in server-side contexts)
EIP-3668 encourages keeping CCIP Read enabled for calls, so this may not be desirable as a universal default change. However, for server-side deployments, consider either:
- a clearly documented “safe mode” preset (destination validation + redirect checks + private-range blocking), or
- stronger warnings / examples showing how to disable CCIP Read (ccip_read_enabled=False or global_ccip_read_enabled=False) when calling untrusted contracts.
At minimum, document the SSRF risk prominently in the CCIP Read docs.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "web3"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0b3"
},
{
"fixed": "7.15.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "web3"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0b1"
},
{
"fixed": "8.0.0b2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.0b1"
]
}
],
"aliases": [
"CVE-2026-40072"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:38:11Z",
"nvd_published_at": "2026-04-09T18:17:03Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nweb3.py implements CCIP Read / `OffchainLookup` (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in `offchain_lookup_payload[\"urls\"]`. The implementation uses these contract-supplied URLs directly (after `{sender}` / `{data}` template substitution) without any destination validation:\n\n- No restriction to `https://` (and no opt-in gate for `http://`)\n- No hostname or IP allowlist\n- No blocking of private/reserved IP ranges (loopback, link-local, RFC1918)\n- No redirect target validation (both `requests` and `aiohttp` follow redirects by default)\n\n**CCIP Read is enabled by default** (`global_ccip_read_enabled = True` on all providers), meaning any application using web3.py\u0027s `.call()` method is exposed without explicit opt-in.\n\nThis results in **Server-Side Request Forgery (SSRF)** when web3.py is used in backend services, indexers, APIs, or any environment that performs `eth_call` / `.call()` against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints.\n\n---\n\n## Why This Is a Vulnerability\n\nThe argument is not that CCIP Read itself is invalid or that web3.py should stop supporting EIP-3668. The issue is that, in server-side deployments (backends, indexers, bots, APIs), the current implementation doesn\u0027t provide destination policy controls, such as a validation/override hook, private-range blocking, or redirect target checks, which means contract controlled CCIP URLs can be used as an SSRF primitive.\n\nThis is consistent with EIP-3668\u0027s own security considerations, which recommends that client libraries \"provide clients with a hook to override CCIP read calls, either by rewriting them to use a proxy service, or by denying them entirely\" and that \"this mechanism or another should be written so as to easily facilitate adding domains to allowlists or blocklists.\" The mitigations I\u0027m suggesting are meant to align with that guidance without breaking CCIP Read support.\n\n- **Default-on exposure.** CCIP Read is enabled by default on all web3.py providers (`global_ccip_read_enabled = True`). Users who never intend to use CCIP Read, and who may not even know the feature exists, are silently exposed. A feature that makes unsanitized outbound requests to attacker-controlled URLs should not be enabled by default without safety guardrails.\n\n- **Library vs. application responsibility.** web3.py is a widely-used library. Expecting every downstream application to independently implement SSRF protections around `.call()` is unreasonable, especially for a feature that fires automatically and invisibly on a specific revert pattern. Safe defaults at the library level are the standard expectation for any library that issues outbound HTTP requests to externally-controlled URLs.\n\n---\n\n## Affected Code\n\n### Sync CCIP handler\n\n**File:** `web3/utils/exception_handling.py` (lines 42-58)\n\nContract-controlled URLs are requested via `requests` with no destination validation:\n\n```python\nsession = requests.Session()\nfor url in offchain_lookup_payload[\"urls\"]:\n formatted_url = URI(\n str(url)\n .replace(\"{sender}\", str(formatted_sender))\n .replace(\"{data}\", str(formatted_data))\n )\n\n try:\n if \"{data}\" in url and \"{sender}\" in url:\n response = session.get(formatted_url, timeout=DEFAULT_HTTP_TIMEOUT)\n else:\n response = session.post(\n formatted_url,\n json={\"data\": formatted_data, \"sender\": formatted_sender},\n timeout=DEFAULT_HTTP_TIMEOUT,\n )\n```\n\n(The request is issued before response validation; subsequent logic parses JSON and enforces a `\"data\"` field.)\n\nKey observations:\n- `requests` follows redirects by default (`allow_redirects=True`).\n- No `allow_redirects=False` is set.\n- No validation of `formatted_url` before the request.\n- The placeholder check (`if \"{data}\" in url`) operates on the raw `url` value from the payload (before `str()` conversion), not on the already-formatted `formatted_url`. If `url` is not a plain `str` (e.g., a `URI` type), the `in` check may behave differently than intended.\n\n### Async CCIP handler\n\n**File:** `web3/utils/async_exception_handling.py` (lines 45-63)\n\nSame pattern with `aiohttp`:\n\n```python\nsession = ClientSession()\nfor url in offchain_lookup_payload[\"urls\"]:\n formatted_url = URI(\n str(url)\n .replace(\"{sender}\", str(formatted_sender))\n .replace(\"{data}\", str(formatted_data))\n )\n\n try:\n if \"{data}\" in url and \"{sender}\" in url:\n response = await session.get(\n formatted_url, timeout=ClientTimeout(DEFAULT_HTTP_TIMEOUT)\n )\n else:\n response = await session.post(\n formatted_url,\n json={\"data\": formatted_data, \"sender\": formatted_sender},\n timeout=ClientTimeout(DEFAULT_HTTP_TIMEOUT),\n )\n```\n\nKey observations:\n- `aiohttp` follows redirects by default.\n- No redirect or destination validation.\n- Same raw-`url` placeholder check issue as the sync handler.\n\n### Default-on invocation path\n\n**File:** `web3/providers/base.py` (line 66) and `web3/providers/async_base.py` (line 79):\n\n```python\nglobal_ccip_read_enabled: bool = True\n```\n\n**File:** `web3/eth/eth.py` (lines 222-266) and `web3/eth/async_eth.py` (lines 243-287):\n\nThe `.call()` method automatically invokes `handle_offchain_lookup()` / `async_handle_offchain_lookup()` when a contract reverts with `OffchainLookup`, up to `ccip_read_max_redirects` times (default: 4). No user interaction or explicit opt-in is required beyond the default configuration.\n\n---\n\n## Security Impact\n\n### 1. Blind SSRF (Primary Impact)\n\nA malicious contract can supply URLs that cause the web3.py process to issue HTTP GET or POST requests to:\n\n- **Loopback services:** `http://127.0.0.1:\u003cport\u003e/...`, `http://localhost/...`\n- **Cloud metadata endpoints:** `http://169.254.169.254/latest/meta-data/iam/security-credentials/`\n- **Internal network services:** any RFC1918 address (`10.x.x.x`, `172.16-31.x.x`, `192.168.x.x`)\n- **Arbitrary external destinations**\n\nThe request is made from the web3.py process. This alone constitutes SSRF -- the attacker controls the destination of an outbound request from the victim\u0027s infrastructure.\n\n**Note on response handling:** The CCIP handler expects a JSON response containing a `\"data\"` field. If the target endpoint does not return valid JSON with this key, the handler raises `Web3ValidationError` or continues to the next URL. This means:\n\n- The raw response body is **not** directly returned to the attacker in most cases (blind SSRF).\n- However, the request itself is the primary threat: it can reach internal services, trigger side effects on internal APIs, and serve as a network probe.\n- On AWS with IMDSv1, a GET to `http://169.254.169.254/...` returns credentials in plaintext. While the CCIP handler would fail to parse this as JSON, the request itself reaches the metadata service. If an internal endpoint returns JSON containing a `\"data\"` field (or can be coerced to), the handler may accept it and use it in the on-chain callback, creating a potential exfiltration path.\n\n### 2. Redirect-Based SSRF Amplification\n\nBoth `requests` and `aiohttp` follow HTTP redirects by default. The CCIP handlers use the final response without validating the final resolved URL.\n\n- **Sync:** `web3/utils/exception_handling.py` -- `session.get()` with default `allow_redirects=True`\n- **Async:** `web3/utils/async_exception_handling.py` -- `session.get()` with default redirect following\n\nA contract-supplied URL can point to an attacker-controlled server that issues a `302` redirect to `http://169.254.169.254/...` or any internal endpoint. This defeats naive URL-prefix checks that an application might add, expanding the SSRF surface.\n\n### 3. Internal Network Probing\n\nBy varying the URLs supplied in the `OffchainLookup` revert payload, an attacker can:\n\n- Probe internal network topology (open ports, reachable hosts) based on response timing and error behavior\n- Trigger side effects on internal APIs that accept GET or POST requests without authentication\n- Map cloud infrastructure by querying metadata endpoints\n\n### 4. POST-Based SSRF\n\nWhen the contract-supplied URL does **not** contain both `{sender}` and `{data}` placeholders, the handler switches to `session.post()` with a JSON body. This means the attacker can cause the victim to issue **POST requests with a controlled JSON body** (`{\"data\": ..., \"sender\": ...}`) to arbitrary destinations, increasing the potential for triggering state-changing operations on internal services.\n\n---\n\n## Proof of Concept\n\n### Prerequisites\n\n- Python environment with `web3` installed\n- No network access or blockchain connection required (the PoC calls the handler function directly)\n\n### Step 1: Start a local HTTP listener\n\n```bash\npython -m http.server 9999\n```\n\n### Step 2: Run the reproduction script\n\n```bash\npython repro_ssrf.py\n```\n\n### Step 3: Observe\n\nThe HTTP server logs will show an inbound request to a path like `/SSRF_DETECTION_SUCCESS?sender=...\u0026data=...`, confirming that `handle_offchain_lookup()` issued an outbound HTTP request to the contract-supplied URL without any destination validation.\n\nThe script will then print an error (the local HTTP server does not return the expected JSON), but the request has already been sent -- the SSRF occurs before any response validation.\n\n### Reproduction script (`repro_ssrf.py`)\n\n```python\nfrom web3.types import TxParams\nfrom web3.utils.exception_handling import handle_offchain_lookup\n\n\ndef reproduce_ssrf():\n target_address = \"0x0000000000000000000000000000000000000001\"\n\n payload = {\n \"sender\": target_address,\n \"callData\": \"0x1234\",\n \"callbackFunction\": \"0x12345678\",\n \"extraData\": \"0x90ab\",\n \"urls\": [\n \"http://127.0.0.1:9999/SSRF_DETECTION_SUCCESS?sender={sender}\u0026data={data}\"\n ],\n }\n\n transaction: TxParams = {\"to\": target_address}\n\n print(f\"Triggering CCIP Read handler with URL: {payload[\u0027urls\u0027][0]}\")\n\n try:\n handle_offchain_lookup(payload, transaction)\n except Exception as e:\n print(f\"Expected failure after request was sent: {e}\")\n\n\nif __name__ == \"__main__\":\n reproduce_ssrf()\n```\n\n### Real-world attack scenario\n\nIn a production setting, the attacker would:\n\n1. Deploy a malicious contract that reverts with `OffchainLookup`, supplying URLs pointing to internal services (e.g., `http://169.254.169.254/latest/meta-data/iam/security-credentials/`).\n2. Cause a backend service (indexer, API, bot) to call that contract via `eth_call` / `.call()`.\n3. web3.py automatically triggers CCIP Read, issuing the HTTP request from the backend\u0027s network context.\n\nNo special permissions or contract interactions beyond a standard `eth_call` are required.\n\n---\n\n## Suggested Remediation\n\n### 1. Restrict URL schemes (safe default)\n\nAllow only `https://` by default. Provide an explicit opt-in flag (e.g., `ccip_read_allow_http=True`) for `http://`.\n\n### 2. Block private/reserved IP destinations by default\n\nBefore issuing the request, resolve the hostname and reject connections to:\n\n- `127.0.0.0/8` (loopback)\n- `169.254.0.0/16` (link-local / cloud metadata)\n- `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16` (RFC1918)\n- `::1`, `fe80::/10` (IPv6 loopback / link-local)\n- `0.0.0.0/8`\n\n### 3. Disable or validate redirects\n\nEither:\n- Set `allow_redirects=False` on the HTTP requests, or\n- Validate each redirect target against the same destination policy before following it\n\n### 4. Provide a URL validator hook\n\nAllow users to supply a custom URL validation callback for CCIP Read URLs (e.g., a hostname allowlist, gateway pinning, or custom policy). This enables advanced users to configure CCIP Read for their specific trust model.\n\n### 5. Consider stronger default safety signaling (or default-off in server-side contexts)\n\nEIP-3668 encourages keeping CCIP Read enabled for calls, so this may not be desirable as a universal default change. However, for server-side deployments, consider either:\n- a clearly documented \u201csafe mode\u201d preset (destination validation + redirect checks + private-range blocking), or\n- stronger warnings / examples showing how to disable CCIP Read (`ccip_read_enabled=False` or `global_ccip_read_enabled=False`) when calling untrusted contracts.\n\nAt minimum, document the SSRF risk prominently in the CCIP Read docs.",
"id": "GHSA-5hr4-253g-cpx2",
"modified": "2026-06-09T10:57:20Z",
"published": "2026-04-04T06:38:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethereum/web3.py/security/advisories/GHSA-5hr4-253g-cpx2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40072"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/web3.py/commit/b1c57bb0a124359c9902daaefab4d8af7c3c4c1e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethereum/web3.py"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling"
}
GHSA-5HR7-6M56-F3RG
Vulnerability from github – Published: 2026-06-03 00:30 – Updated: 2026-06-03 00:30A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue.
{
"affected": [],
"aliases": [
"CVE-2026-10662"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-02T23:16:34Z",
"severity": "LOW"
},
"details": "A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue.",
"id": "GHSA-5hr7-6m56-f3rg",
"modified": "2026-06-03T00:30:26Z",
"published": "2026-06-03T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10662"
},
{
"type": "WEB",
"url": "https://github.com/ahujasid/blender-mcp/issues/203"
},
{
"type": "WEB",
"url": "https://github.com/ahujasid/blender-mcp/pull/205"
},
{
"type": "WEB",
"url": "https://github.com/bergskenop/blender-mcp/commit/5b37be25242e73dc4cf1328974d30458b9e5d67e"
},
{
"type": "WEB",
"url": "https://github.com/ahujasid/blender-mcp"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10662"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/830488"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367957"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367957/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5J38-MH4Q-M5CV
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:12A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network.
{
"affected": [],
"aliases": [
"CVE-2019-15021"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network.",
"id": "GHSA-5j38-mh4q-m5cv",
"modified": "2024-04-04T02:12:31Z",
"published": "2022-05-24T16:58:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15021"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2019-15021"
},
{
"type": "WEB",
"url": "https://securityadvisories.paloaltonetworks.com/Home/Detail/188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5J3J-X96G-89V5
Vulnerability from github – Published: 2026-03-19 21:30 – Updated: 2026-03-19 21:30Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.
{
"affected": [],
"aliases": [
"CVE-2026-26120"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-19T21:17:06Z",
"severity": "MODERATE"
},
"details": "Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.",
"id": "GHSA-5j3j-x96g-89v5",
"modified": "2026-03-19T21:30:24Z",
"published": "2026-03-19T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26120"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5J4Q-6J8C-67M6
Vulnerability from github – Published: 2023-10-26 12:31 – Updated: 2023-11-03 18:30The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks
{
"affected": [],
"aliases": [
"CVE-2023-5798"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-26T10:15:34Z",
"severity": "HIGH"
},
"details": "The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks",
"id": "GHSA-5j4q-6j8c-67m6",
"modified": "2023-11-03T18:30:23Z",
"published": "2023-10-26T12:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5798"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/bbb4c98c-4dd7-421e-9666-98f15acde761"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.