N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-373w-rj84-pv6x

GHSA-373w-rj84-pv6x: SafeURL-Python's hostname blocklist does not block FQDNs

Description

If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding . to the end).

Impact

The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames.

Patches

Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6

Credit

https://github.com/Sim4n6

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-373w-rj84-pv6x

GHSA-373w-rj84-pv6x:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SafeURL-Python	pip	< 1.3	1.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper domain comparison in the blocklist check. The commit diff shows the fix added .strip('.') to domain/value comparisons in isInList, proving this was the vulnerable function. The test case added in safeurl_tests.py demonstrates the bypass scenario using a trailing dot, which this function's logic failed to handle before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-373w-rj84-pv6x: SafeURL-Python's hostname blocklist does not block FQDNs

Description

Impact

Patches

Credit

GHSA-373w-rj84-pv6x:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

N/A

N/A

GHSA-373w-rj84-pv6x: SafeURL-Python's hostname blocklist does not block FQDNs

Description

Impact

Patches

Credit

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI