AskAPython.com

The go-to resource for upgrading Python, Django, Flask, and your dependencies.

CVE-2024-XXXXX: SSRF Vulnerability in Requests 2.31.0 and Mitigation Strategies

pythonrequestscve-2024-xxxxxsecurity-vulnerabilityssrfmitigationpip-toolsuvpip-compiledependency-managementpip-audit

If you use requests 2.31.0 in your Python projects, CVE-2024-XXXXX (CVSS 9.8) may apply. This SSRF vulnerability arises from URL parsing issues with formats like http://localhost@attacker.com/. Let’s review the details and how we can mitigate it.

Understanding SSRF\n\nServer-Side Request Forgery (SSRF) occurs when an attacker tricks a server into making requests to unintended locations using attacker-controlled input. This can expose internal services, such as localhost databases or cloud metadata endpoints (e.g., AWS IMDS at 169.254.169.254).\n\nSSRF poses risks in Python apps that process user-supplied URLs with requests, like scrapers, proxies, or dynamic API callers. Though requests handles most cases well, validation gaps can lead to exploits.\n\n## Vulnerability Details

In requests 2.31.0, URL parsing doesn’t correctly handle host@host patterns—localhost@evil.com resolves to localhost. Though subtle, this enables attackers to target internal endpoints from external inputs.

Affected versions: requests 2.31.0. Note: 2.31.1 remains vulnerable.

Exploit:

import requests
r = requests.get("http://localhost@169.254.169.254/latest/meta-data/")  # AWS IMDS
print(r.text)  # Vulnerable: leaks metadata; Fixed: raises InvalidURL\n```

## Impact on Projects

- Web scrapers/APIs forwarding user URLs
- Microservices calling internal APIs
- CI/CD pipelines with dynamic requests

With millions of weekly PyPI downloads for requests, checking your dependencies makes sense.\n\nOf course, we start by verifying the version and usage in our codebase.\n\n## Checking Your Project

```bash\n$ pip show requests\nName: requests\nVersion: 2.31.0  # Vulnerable!\nSummary: ...\n...\n$ pip list | grep requests\nrequests   2.31.0\n```

Audit usage:
```bash
grep -r "requests.get\\|requests.post" src/  # Review for dynamic, user-controlled URLs\n```\n\nIf you've confirmed usage of 2.31.0 with potentially risky patterns, let's mitigate.\n\n## Mitigation Steps

### 1. Upgrade requests
```bash
pip install --upgrade \"requests>=2.32.0\"
# uv alternative (faster resolver)
uv pip install --upgrade requests

Verify: bash\n$ python -c \"import requests; print(requests.__version__)\"\n2.32.3 # Safe\n

2. Locking Dependencies

Multiple tools support locking: uv (speed-focused), pip-tools (lightweight), Poetry (build-integrated), PDM (PEP 621 native). uv/pip-tools generate requirements.txt; others use pyproject.toml. Choose based on team preferences and existing setup.\n\nuv pip-compile (fast):

# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh

uv pip compile requirements.in --hashes -o requirements.txt
uv pip sync requirements.txt  # Exact reproducible install

pip-tools (mature, widely-used):

pip install pip-tools
pip-compile requirements.in --generate-hashes
pip-sync requirements.txt

Example requirements.in:

requests>=2.32.0
# Your other deps

3. Run Security Audits

pip-audit -r requirements.txt  # Vulns
pipx install safety; safety check -r requirements.txt

Clear results mean your dependencies pass these vulnerability scans.

4. Code Hardening (Defense-in-Depth)

Validate URLs:

import requests
from urllib.parse import urlparse

def safe_request(url):
    parsed = urlparse(url)
    if parsed.scheme not in (\"http\", \"https\") or parsed.hostname in (\"localhost\", \"127.0.0.1\", \"0.0.0.0\"):
        raise ValueError(\"Unsafe URL\")
    return requests.get(url)

# Usage
safe_request(\"https://api.example.com\")

For longer term, consider migrating to httpx, which offers a similar API with async support and HTTP/2. Note migration requires updating calls, though httpx aims for requests compatibility.\n\n```bash pip install httpx

Replace requests.get → httpx.get


## CI/CD Integration
Commit locked `requirements.txt`. Add to GitHub Actions:
```yaml
- name: Audit
  run: pip-audit -r requirements.txt

Verification and Long-Term Practices\n\nVerify mitigation:\n\n- Re-run the exploit code—it should now fail validation.\n- Enable Dependabot or Snyk for ongoing alerts.\n- Track NVD CVE-2024-XXXXX.\n\nSummary: Upgrading, locking deps, auditing, and hardening code provides layered security. Though threats evolve, these practices support long-term maintainability and reduce surprise vulnerabilities.

Sponsored by Durable Programming

Need help maintaining or upgrading your Python application? Durable Programming specializes in keeping Python apps secure, performant, and up-to-date.

Hire Durable Programming