requests-hardened is Vulnerable to Server-Side Request Forgery — CVE-2026-42175
GitHub · GitHub · CVE-2026-42175
ID
CVE-2026-42175
CVE-2026-42175
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.5
6.5
EPSS
0.0003
0.0003
Summary
The SSRF protection in `requests-hardened` prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (`100.64.0.0/10`). An attacker who can supply arbitrary URLs to `requests-hardened` could exploit this gap to access internal services hosted within `100.64.0.0/10`. This is for example relevant in environments such as AWS EKS where `100.64.0.0/10` is commonly used as the default…
Product
pip: requests-hardened
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.