Server-side Request Forgery (SSRF) Affecting zeep package, versions [4.0.0,4.3.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-ZEEP-17675232
  • published29 Jun 2026
  • disclosed19 Jun 2026
  • creditUnknown

Introduced: 19 Jun 2026

New CVE NOT AVAILABLE CWE-918  (opens in a new tab)

How to fix?

Upgrade zeep to version 4.3.3 or higher.

Overview

zeep is an A Python SOAP client

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the process of parsing WSDL or XSD documents, where transitive references such as xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution are followed. An attacker can cause the application to make outbound requests to arbitrary URLs by supplying or influencing the contents of a WSDL/XSD document, potentially accessing internal-only services or sensitive endpoints.

Workaround

This vulnerability can be mitigated by avoiding the loading of untrusted WSDL/XSD documents, vendoring schemas locally and loading them from local files, restricting egress at the network layer to block outbound traffic to sensitive ranges, or using a restrictive custom Transport to allow-list URLs.

CVSS Base Scores

version 4.0
version 3.1