CVE-2026-33752: curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)

April 3, 2026 (updated April 6, 2026)

curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.

Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.

References

github.com/advisories/GHSA-qw2m-4pqf-rmpp
github.com/lexiforest/curl_cffi
github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp
nvd.nist.gov/vuln/detail/CVE-2026-33752

Code Behaviors & Features

Detect and mitigate CVE-2026-33752 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →