CVE-2026-42175 - Vulnerability Details

Description

requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .

Published: 2026-05-12

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Requests‑hardened is a library that overrides the Python requests library to add security features. Earlier releases do not block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). If an attacker can provide arbitrary URLs to the library, the SSRF protection is bypassed, enabling the attacker to reach internal services on that CIDR. The result is unintended access to internal resources, potentially exposing sensitive data and allowing further lateral movement. This weakness is classified as CWE‑918.

Affected Systems

Vendor: Saleor; product: requests‑hardened. The vulnerability affects installations that use a version of the library built before the fix. The bug was addressed in version 1.2.1; earlier releases remain vulnerable. No other vendor or product variants are listed.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who can supply URLs to the library—such as external users of a web application that uses requests‑hardened—might exploit the bypass to reach internal network resources. The attack requires that the target environment employs the 100.64.0.0/10 CIDR for pod networking or other internal services, a pattern common in AWS EKS clusters and similar deployments. The impact is therefore environment‑dependent, providing unintended internal access where the CIDR is used.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

saleor

requests-hardened

affected

Version	Status	Constraints
`< 1.2.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install requests‑hardened version 1.2.1 or newer to apply the SSRF mitigation
If the vulnerable library must remain in use, block outbound traffic to the 100.64.0.0/10 CIDR with firewall rules or network policies to prevent SSRF exploitation
Implement URL whitelist validation to restrict the destinations that can be fetched through requests‑hardened

Generated by OpenCVE AI on May 12, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vh75-fwv3-pqrh	requests-hardened is Vulnerable to Server-Side Request Forgery

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c
https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5
https://github.com/saleor/requests-hardened/releases/tag/v1.2.1
https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh

History

Tue, 12 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .
Title		requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598
Weaknesses		CWE-918
References		https://github.com/saleor/requests-hardened/commit/a266b3958bb142bca515b3c230fdea19fbda327c https://github.com/saleor/requests-hardened/commit/b7403f88d3b3689e57435b75b51691a160aaeef5 https://github.com/saleor/requests-hardened/releases/tag/v1.2.1 https://github.com/saleor/requests-hardened/security/advisories/GHSA-vh75-fwv3-pqrh
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T17:52:09.138Z

Updated: 2026-05-12T17:52:09.138Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42175

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T18:17:24.073

Modified: 2026-05-12T18:17:24.073

Link: CVE-2026-42175

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T21:30:25Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object