curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)

Summary

curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.

Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls.

Details

The issue comes from how curl_cffi handles outbound requests
- User-supplied URLs are passed directly to libcurl without checking whether they resolve to internal IP ranges (e.g., 127.0.0.1, 169.254.0.0/16).
- Redirects are automatically followed (CURLOPT_FOLLOWLOCATION = 1) inside libcurl.
- There is no validation of redirect destinations at the Python layer.

This means that even if an application only allows requests to external URLs, an attacker can
- Provide a URL pointing to an attacker-controlled server
- Return a redirect response pointing to an internal service
- Have curl_cffi follow that redirect automatically

As a result, internal endpoints (such as cloud instance metadata APIs) can be accessed.

Additionally, curl_cffi supports TLS fingerprint impersonation (e.g., impersonate="chrome"). In environments where outbound requests are filtered based on TLS fingerprinting, this can make such requests harder to detect or block

This behavior is similar to previously reported redirect-based SSRF issues such as CVE-2025-68616, where redirects allowed access to unintended internal resources.

PoC

1. Direct internal request

import curl_cffi
resp = curl_cffi.get("http://169.254.169.254/latest/meta-data/")
print(resp.text)

2. Redirect to internal service
   Attacker server:

GET /test
→ 302 Location: http://169.254.169.254/latest/meta-data/

Victim code:

import curl_cffi
resp = curl_cffi.get("https://attacker.example/test")
print(resp.text)

Result
- Initial request goes to attacker server
- Redirect is returned
- libcurl follows the redirect automatically
- Internal metadata endpoint is accessed

3. With TLS impersonation

import curl_cffi\
resp = curl_cffi.get(
    "https://attacker.example/test",
    impersonate="chrome")

In some environments, this may help the request bypass TLS-based filtering controls.

Impact

An attacker who can control the requested URL may be able to:
- Access internal network services
- Reach cloud metadata endpoints and retrieve sensitive information
- Bypass certain outbound filtering mechanisms (depending on environment)
This corresponds to CWE-918 Server-Side Request Forgery.