Server-Side Request Forgery (SSRF) The advisory has been revoked - it doesn't affect any version of package rdflib (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-Side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-RDFLIB-1324490
- published28 Nov 2021
- disclosed22 Jul 2021
- creditAlex Dutton
Introduced: 22 Jul 2021
CVE NOT AVAILABLE CWE-918 (opens in a new tab)Amendment
This was deemed not a vulnerability.
Overview
rdflib is a Python library for working with RDF, a simple yet powerful language for representing information.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). rdflib allows resolution of external references, which could enable attackers to have several negative impacts on an application processing untrusted documents or queries. It is recommended to take precautions against the scenarios listed below, including process isolation/sandboxing, runtime audit hooks, or custom URL openers - all of which are equally applicable to RDFLib and the underlying resource resolution functionality of Python.
If a web service takes POSTed JSON-LD data, rdflib will attempt to resolve any URL in the @context.
This can lead to:
- attackers being able to probe internal networks, by having
rdflibrequest potential non-public URLs - reflection attacks, if the same or slightly-different URLs are repeated multiple times in the
@context - resource exhaustion, as the entire remote file is loaded into memory before JSON parsing is attempted
- Denial of Service, if web or task workers are tied up waiting for extended periods for HTTP requests to complete
- attackers being able to probe the local filesystem using
file://URLs