python · zeepHeads-up
zeep: forbid_external not enforced (SSRF) fixed in 4.3.3
In python-zeep versions 4.0.0 through 4.3.2, the `forbid_external` setting was defined but not enforced, allowing SSRF via transitive fetching of external resou
What changed
In python-zeep versions 4.0.0 through 4.3.2, the `forbid_external` setting was defined but not enforced, allowing SSRF via transitive fetching of external resources in WSDL/XSD documents. Fixed in 4.3.3 where `forbid_external=True` now blocks such fetches.
Who it affects
Applications using python-zeep 4.0.0 to 4.3.2 that load untrusted WSDL/XSD documents or rely on `forbid_external=True` for security.
What to do today
Upgrade to python-zeep 4.3.3 or later and set `forbid_external=True` when loading documents from untrusted sources.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · zeep