Vulnerability	Vulnerable Version
M Time-of-check Time-of-use (TOCTOU) Race Condition prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the `validate_restricted_url()` function of the `Webhook` and `CustomWebhookNotificationBlock` components, which enables DNS rebinding attacks. When `allow_private_urls` is set to `False`, an attacker can bypass intended URL restrictions by returning a public IP address first, which passes validation, and then a private one at the time of the actual connection. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `prefect` to version 3.6.28.dev2 or higher.	[,3.6.28.dev2)

Time-of-check Time-of-use (TOCTOU) Race Condition

prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the validate_restricted_url() function of the Webhook and CustomWebhookNotificationBlock components, which enables DNS rebinding attacks. When allow_private_urls is set to False, an attacker can bypass intended URL restrictions by returning a public IP address first, which passes validation, and then a private one at the time of the actual connection.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade prefect to version 3.6.28.dev2 or higher.

[,3.6.28.dev2)

Go back to all versions of this package