AIKIDO-2026-10912
yarl is vulnerable to Server-Side Request Forgery (SSRF)
72
High Risk
This Affects:
yarlTL;DR
The yarl URL parser accepted malformed authority and host strings that violate RFC 3986, including backslashes in authority, multi-bracket IPv6 literals, text around IP-literal brackets, and percent-encoded scheme prefixes. These inconsistencies let attacker-controlled inputs resolve to a different effective host than stricter parsers or than URL property accessors report, enabling host confusion when applications validate or route on parsed fields versus serialized strings. Affected versions silently normalized or accepted such URLs instead of failing closed. The fix tightens split_url and split_netloc validation and keeps percent-encoded colons from materializing an unintended scheme in str() and human_repr.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
yarl is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 1.23.0.
How to fix this
Upgrade the yarl library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant