CVE-2026-45568
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
描述
## Summary Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob. ## Details The Python SDK proxy route accepts every path under the share: ```python @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) def proxy(path): ``` It constructs the outbound URL with `urljoin` and then sends the request: ```python url = urllib.parse.urljoin(self.target, path) resp = requests.request( method=request.method, url=url, headers={key: value for (key, value) in request.headers if key.lower() not in HOP_BY_HOP_HEADERS}, data=request.get_data(), cookies=request.cookies, allow_redirects=False, stream=True, verify=self.verify_ssl ) ``` When `path` is `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60), `urljoin(self.target, path)` returns `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob's chosen URL rather than Alice's target.
如何修補 CVE-2026-45568
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2026-45568 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-45568 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- >= 0.4.47, <= 1.1.11
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L |