SSRF Vulnerability in requests-hardened Library Affecting Saleor
CVE-2026-42175

6.5MEDIUM

Key Information:

Vendor

Saleor

Status
Requests-hardened
Vendor
CVE Published:
12 May 2026

What is CVE-2026-42175?

The requests-hardened library, designed to enhance the security of the popular requests library, contains a vulnerability that fails to adequately protect against Server-Side Request Forgery (SSRF). Prior versions did not block IP addresses in the RFC 6598 Shared Address Space, specifically within the range of 100.64.0.0/10. This oversight allows attackers with the capability to send arbitrary URLs to the library to access internal services that utilize this CIDR range, which is commonly employed in cloud environments like AWS EKS for pod networks. The risk level is contingent on the specific deployment; environments utilizing this particular address space for internal networking may be particularly vulnerable to SSRF bypass attacks. The issue has been addressed in version 1.2.1 and users are encouraged to update to this version to mitigate potential risks.

Affected Version(s)

requests-hardened < 1.2.1

References

https://github.com/saleor/requests-hardened/security/advi...
x_refsource_CONFIRM
https://github.com/saleor/requests-hardened/commit/a266b3...
x_refsource_MISC
https://github.com/saleor/requests-hardened/commit/b7403f...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.