Skip to content

Add advisory: reqwest SSRF via default redirect policy#2665

Closed
BrianMcWilliams wants to merge 1 commit intorustsec:mainfrom
BrianMcWilliams:patch-1
Closed

Add advisory: reqwest SSRF via default redirect policy#2665
BrianMcWilliams wants to merge 1 commit intorustsec:mainfrom
BrianMcWilliams:patch-1

Conversation

@BrianMcWilliams
Copy link

@BrianMcWilliams BrianMcWilliams commented Feb 23, 2026

reqwest's default redirect policy follows redirects to private/internal IP ranges (RFC 1918, link-local, loopback, cloud metadata endpoints), enabling SSRF in server-side applications that fetch user-controlled URLs.

@BrianMcWilliams
Add advisory: reqwest SSRF via default redirect policy
077149c 
reqwest's default redirect policy follows redirects to private/internal IP ranges (RFC 1918, link-local, loopback, cloud metadata endpoints), enabling SSRF in server-side applications that fetch user-controlled URLs.
@alex
Copy link
Member

alex commented Feb 23, 2026

Is there a change in the status since #2663?

@djc djc closed this Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BrianMcWilliams @alex @djc