Server-side Request Forgery (SSRF) Affecting reportlab package, versions [0,3.5.55)



    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.16% (52nd percentile)
Expand this section
6.5 medium
Expand this section
Red Hat
5.4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 3 Jan 2021
  • disclosed 27 Oct 2020
  • credit Karan Bamal

How to fix?

Upgrade reportlab to version 3.5.55 or higher.


reportlab is a Python library for generating PDFs and graphics.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation), introduced in version 3.5.55.

Steps to reproduce by Karan Bamal:

  1. Download and install the latest package of reportlab
  2. Go to demos -> odyssey -> dodyssey
  3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="" valign="top"/>
  4. Create a nc listener nc -lp 5000
  5. Run python3
  6. You will get a hit on your nc showing we have successfully proceded to send a server side request
  7. will show error since there is no img file on the url, but we are able to do SSRF