GHSA-4CC2-G9W2-FHF6: GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution

#security #cve #cybersecurity #ghsa

GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution

Vulnerability ID: GHSA-4CC2-G9W2-FHF6
CVSS Score: 5.9
Published: 2026-06-19

A regression in python-zeep (versions 4.0.0 through 4.3.2) silently ignores the security configuration designed to block transitive external resource fetches during WSDL and XSD parsing. This defect exposes applications to Server-Side Request Forgery (SSRF) when loading untrusted schemas.

TL;DR

A silent regression in python-zeep versions 4.0.0 to 4.3.2 ignores the forbid_external security setting, allowing remote attackers to trigger unauthenticated SSRF against internal endpoints.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-918
Attack Vector: Network
CVSS v3.1: 5.9 (Medium)
Impact: Confidentiality High
Exploit Status: Proof of Concept available
KEV Status: Not listed

Affected Systems

Applications implementing python-zeep (zeep) version 4.0.0 through 4.3.2
zeep: >= 4.0.0, <= 4.3.2 (Fixed in: 4.3.3)

Code Analysis

Commit: 83eb07b

Wire up the forbid_external setting to prevent remote HTTP/HTTPS queries during parsing.

Exploit Details

GitHub Security Advisory: No description

Mitigation Strategies

Upgrade python-zeep to version 4.3.3 or higher.
Explicitly enable the forbid_external=True configuration parameter in python-zeep Settings.
Enforce network egress filtering to block requests to RFC 1918 addresses and link-local cloud metadata endpoints.

Remediation Steps:

Run your package manager update command: pip install --upgrade zeep>=4.3.3
Locate client instantiation files in the codebase.
Import the Settings class from zeep.
Define settings = Settings(forbid_external=True) and pass this object to the Client initializer.