Intel

AIKIDO-2026-106840

requests is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

59

Medium Risk

This Affects:

PYTHONrequests
1.0.0 - 2.33.1
Fixed in 2.34.0
Are you affected? Scan for Free

TL;DR

The should_bypass_proxies logic in requests matches a request host against no_proxy entries using an unanchored suffix comparison. Because the check is greedy and ignores domain boundaries, a host such as evilexample.com is treated as covered by a no_proxy value of example.com. An attacker who controls or influences such a look-alike host can make the client skip the configured proxy and connect directly, bypassing proxy-based egress controls and SSRF protections that rely on no_proxy. The fix ports CPython's bpo-39057 change to constrain no_proxy matching to proper domain boundaries.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and rely on no_proxy/NO_PROXY rules to control which hosts bypass the configured proxy.

Background info

requests is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.0.0 - 2.33.1.

How to fix this

Upgrade the requests library to the patch version.