Listen to this Post
How the CVE works (technical details):
The `requests-hardened` library prior to version 1.2.1 implements Server-Side Request Forgery (SSRF) protection by blocking IP ranges classified as private or reserved. However, the filtering logic omitted the RFC 6598 Shared Address Space (100.64.0.0/10), which is designated for Carrier-Grade NAT (CG-NAT). An attacker able to control the URL parameter (e.g., via HTTP redirects, request hooks, or directly supplied URLs) can craft a request pointing to http://100.64.1.2:8080/admin`. Because the IP is not blocked, the library resolves and forwards the request, bypassing the SSRF filter. The vulnerability is particularly critical in cloud environments like AWS EKS, where `100.64.0.0/10` is commonly assigned as the default pod CIDR for internal cluster networking. A successful exploit allows an external attacker to reach internal services (e.g., Kubernetes API, metadata endpoints, internal databases) that would otherwise be unreachable. The root cause is an incomplete allowlist/denylist implementation – only standard private IPv4 ranges (10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) and loopback were blocked. The RFC 6598 range was mistakenly considered “public” and thus permitted. Version 1.2.1 patches the issue by explicitly adding `100.64.0.0/10` to the blocked list, plus several other reserved or multicast ranges (e.g.,192.88.99.0/24,224.0.0.0/4, IPv6 multicast) to prevent similar bypasses. The fix also blocks NAT64 (64:ff9b::/96) and ORCHIDv2 (2001:20::/28) ranges. The patched logic rejects any URL whose resolved IP falls into these CIDRs, raising an `SSRFException` before the request is sent. Attackers can still reach external endpoints, but cannot pivot to internal networks within the affected ranges.Patched in 1.2.1`
<h2 style="color: blue;">dailycve form:</h2>
Platform: `requests-hardened`
Version: `< 1.2.1`
Vulnerability : `SSRF via CG-NAT`
Severity: `Medium (env dependent)`
date: `2026-05-05`
<h2 style="color: blue;">Prediction:
Analytics under What Undercode Say:
Check if installed version is vulnerable
pip show requests-hardened | grep Version
Simulate SSRF bypass (vulnerable code example)
python3 -c "
import requests_hardened as req
Attacker-controlled URL pointing to internal pod
url = 'http://100.64.10.5:8080/internal/secret'
try:
resp = req.get(url) No block before 1.2.1
print('Bypass successful:', resp.text[:50])
except Exception as e:
print('Blocked:', e)
"
Test after patching (1.2.1) – expected to raise SSRFException
python3 -c "
from requests_hardened import Session
s = Session()
s.get('http://100.64.0.1/metadata/v1/') raises SSRFError
"
Exploit:
Exploit payload to reach internal AWS EKS pod
import requests_hardened as req
Target internal service at 100.64.2.100 (pod CIDR)
response = req.get("http://100.64.2.100:9200/_cat/indices")
print(response.json()) Leaks internal Elasticsearch indices
Protection from this CVE:
- Upgrade to `requests-hardened >= 1.2.1` immediately.
- If upgrade impossible, manually block `100.64.0.0/10` in your own URL validation wrapper:
import ipaddress def custom_ssrf_filter(url): ip = ipaddress.ip_address(socket.gethostbyname(urlparse(url).hostname)) if ip in ipaddress.ip_network('100.64.0.0/10'): raise ValueError('Blocked CG-NAT range') - Use network firewalls to restrict egress from the application server.
Impact:
- Confidentiality: Attacker can read internal service responses (e.g., cloud metadata, cluster APIs).
- Integrity: Limited – attacker may modify state via internal APIs exposed through SSRF.
- Availability: Unlikely unless SSRF leads to denial-of-service on internal endpoints.
- Environment dependent: Only affects deployments using `100.64.0.0/10` for sensitive internal services (e.g., AWS EKS, certain VPN/CG-NAT setups). Others see no impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
