{"uuid": "e3a1a376-bfd2-4efb-b8e2-89a0cbb13739", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-4CC2-G9W2-FHF6", "type": "seen", "source": "https://gist.github.com/alon710/d42b4dbefc93b27ac577422cb0d5bd9b", "content": "# GHSA-4CC2-G9W2-FHF6: GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution\n\n> **CVSS Score:** 5.9\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6\n\n## Summary\nA regression in python-zeep (versions 4.0.0 through 4.3.2) silently ignores the security configuration designed to block transitive external resource fetches during WSDL and XSD parsing. This defect exposes applications to Server-Side Request Forgery (SSRF) when loading untrusted schemas.\n\n## TL;DR\nA silent regression in python-zeep versions 4.0.0 to 4.3.2 ignores the forbid_external security setting, allowing remote attackers to trigger unauthenticated SSRF against internal endpoints.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-918\n- **Attack Vector**: Network\n- **CVSS v3.1**: 5.9 (Medium)\n- **Impact**: Confidentiality High\n- **Exploit Status**: Proof of Concept available\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Applications implementing python-zeep (zeep) version 4.0.0 through 4.3.2\n- **zeep**: >= 4.0.0, <= 4.3.2 (Fixed in: `4.3.3`)\n\n## Mitigation\n\n- Upgrade python-zeep to version 4.3.3 or higher.\n- Explicitly enable the forbid_external=True configuration parameter in python-zeep Settings.\n- Enforce network egress filtering to block requests to RFC 1918 addresses and link-local cloud metadata endpoints.\n\n**Remediation Steps:**\n1. Run your package manager update command: pip install --upgrade zeep>=4.3.3\n2. Locate client instantiation files in the codebase.\n3. Import the Settings class from zeep.\n4. Define settings = Settings(forbid_external=True) and pass this object to the Client initializer.\n\n## References\n\n- [GHSA-4cc2-g9w2-fhf6 Security Advisory](https://github.com/mvantellingen/python-zeep/security/advisories/GHSA-4cc2-g9w2-fhf6)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-4CC2-G9W2-FHF6) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-21T21:42:12.000000Z"}