Is curl-cffi affected by CVE-2026-33752?

PyPI curl-cffi is affected in <0.15.0.

Is CVE-2026-33752 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

high

CVE-2026-33752

Q: Is CVE-2026-33752 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

PyPI · curl-cffi

Summary

curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)

Severity: high
EPSS: 0.5% (p36)
Also known as: GHSA-qw2m-4pqf-rmpp
Published: 2026-04-03

References

https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp
https://nvd.nist.gov/vuln/detail/CVE-2026-33752
https://github.com/lexiforest/curl_cffi

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.