CVE-2024-31992: Unconstrained Httpx Client Ssrf
A function parameter implies a URL is being handled, and an `httpx` client is instantiated without a custom `transport`. When requesting user-controlled URLs, using the default client exposes the application to Server-Side Request Forgery (SSRF). Set a custom transport to enforce outgoing network restrictions (e.g., blocking private subnets).
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2024-31992-unconstrained-httpx-client-ssrf --engine opengrepDescription
A function parameter implies a URL is being handled, and an `httpx` client is instantiated without a custom `transport`. When requesting user-controlled URLs, using the default client exposes the application to Server-Side Request Forgery (SSRF). Set a custom transport to enforce outgoing network restrictions (e.g., blocking private subnets).
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0