CVE-2026-42175— requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| saleor | requests-hardened | < 1.2.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42175
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598
Source: NVD (National Vulnerability Database)
Vulnerability Description
requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addresses within the RFC 6598 Shared Address Space (100.64.0.0/10). An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This is for example relevant in environments such as AWS EKS where 100.64.0.0/10 is commonly used as the default pod CIDR. The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected. This vulnerability is fixed in .
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
requests-hardened 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
requests-hardened是Saleor Commerce开源的一个增强HTTP请求安全性的Python库。 requests-hardened存在代码问题漏洞,该漏洞源于SSRF保护未能阻止RFC 6598共享地址空间,可能导致攻击者访问内部服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| saleor | requests-hardened | < 1.2.1 | - |
II. Public POCs for CVE-2026-42175
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42175
请登录查看更多情报信息。
- https://github.com/saleor/requests-hardened/releases/tag/v1.2.1x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42175
IV. Related Vulnerabilities
Same vendor: saleor
- CVE-2026-39851
Saleor has a user enumeration vulnerability due to different - CVE-2026-35407
Saleor has Cross-Account Email Change via Unbound Confirmati - CVE-2026-35401
Saleor has a resource exhaustion vulnerability in GraphQL qu - CVE-2026-33756
Saleor Affected by Denial of Service via Unbounded GraphQL Q - CVE-2026-24136
Saleor has an Insecure Direct Object Reference (IDOR) in Gra
Same weakness: CWE-918
- CVE-2026-8725
CoreWorxLab CAAL test-hass Endpoint webhooks.py server-side - CVE-2026-45338
Open WebUI: SSRF via OAuth Profile Picture URL in _process_p - CVE-2026-45347
Open WebUI: Blind server side request forgery (SSRF) via the - CVE-2026-45400
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `va - CVE-2026-45401
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-F
V. Comments for CVE-2026-42175
No comments yet