GHSA-4CC2-G9W2-FHF6
GHSA-4cc2-g9w2-fhf6: Server-Side Request Forgery in python-zeep via Transitive Schema Resolution
Amit Schendel
Senior Security ResearcherJun 21, 2026·6 min read·2 visits
Executive Summary (TL;DR)
A silent regression in python-zeep versions 4.0.0 to 4.3.2 ignores the forbid_external security setting, allowing remote attackers to trigger unauthenticated SSRF against internal endpoints.
A regression in python-zeep (versions 4.0.0 through 4.3.2) silently ignores the security configuration designed to block transitive external resource fetches during WSDL and XSD parsing. This defect exposes applications to Server-Side Request Forgery (SSRF) when loading untrusted schemas.
Vulnerability Overview
The python-zeep library is a widely utilized SOAP client for Python. It parses Web Services Description Language (WSDL) and XML Schema Definition (XSD) files to compile programmatic interfaces for interacting with web services. During parsing, the library must resolve various nested elements and external schema components to build complete request and response models.
By default, SOAP definitions allow referring to other schemas through elements such as <xsd:import>, <xsd:include>, and <wsdl:import>. In python-zeep, processing these transitive references triggers secondary network requests to load the referenced target URLs. If an attacker controls or influences the initial schema file, they can direct the client to parse nested references pointing to sensitive internal endpoints.
This behavior leads to Server-Side Request Forgery (SSRF) mapped under CWE-918. Although python-zeep defined a configuration parameter named Settings.forbid_external to disable these remote fetches, a major architectural change caused this setting to be ignored. This vulnerability exposes application servers to unintended outbound connections, enabling access to local metadata engines and private network segments.
Root Cause Analysis
The root cause of this regression stems from an architectural migration away from the defusedxml package in version 4.0.0. Prior to this release, python-zeep relied on defusedxml to parse incoming XML and prevent standard XML-based vectors, such as XML Entity Expansion and external entity resolution. When the project transitioned to utilizing native lxml parsing logic combined with a custom resolver, the security mechanisms were refactored.
During this transition, the security configuration forbid_external was correctly declared in the Settings class with a default value of True. However, the loader and schema resolver implementations were not updated to read or enforce this attribute. Specifically, neither ImportResolver in src/zeep/loader.py nor the schema parsers in the WSDL and XSD submodules passed the settings object down to the active parser resolution context.
As a consequence, when the lxml engine encountered a external reference, it invoked the custom ImportResolver class. Because this class lacked awareness of the forbid_external setting, it unconditionally resolved any http or https URI using the application transport layer. The configuration setting remained a silent, non-functional parameter that developers assumed was protecting their environment.
Code Analysis and Diagram
To understand the resolution path and where the security policy failed, analyze the interaction between the loader and the XML parsers. The following diagram illustrates how the missing reference allowed external loads to bypass the security switch:
In the vulnerable implementation of src/zeep/loader.py, the custom resolver class did not receive the settings configuration block during initialization:
# src/zeep/loader.py (Vulnerable Code)
class ImportResolver(Resolver):
def __init__(self, transport):
# Settings are never passed or stored
self.transport = transport
def resolve(self, url, pubid, context):
if urlparse(url).scheme in ("http", "https"):
# Unconditional remote retrieval occurs here
content = self.transport.load(url)
return self.resolve_string(content, context)The fix introduces the settings parameter into the resolver and checks the forbid_external attribute prior to dispatching network queries:
# src/zeep/loader.py (Patched Code)
class ImportResolver(Resolver):
def __init__(self, transport, settings=None):
self.transport = transport
# Defaults to default settings if none provided
self.settings = settings or Settings()
def resolve(self, url, pubid, context):
if urlparse(url).scheme in ("http", "https"):
# Enforce the security boundary
if self.settings.forbid_external:
raise ExternalReferenceForbidden(url)
content = self.transport.load(url)
return self.resolve_string(content, context)Furthermore, the patch introduces an internal flag called _initial when parsing documents. This flag ensures that the top-level schema specified by the developer is allowed to load, but any subsequent secondary, recursive schemas triggered by imports are subjected to the strict forbid_external check.
Exploitation Methodology
To exploit this vulnerability, an attacker must identify an application endpoint that accepts a user-provided WSDL or XSD URL, or processes an uploaded XML document that gets parsed by python-zeep. The target application does not need to run with elevated privileges; the client context is sufficient.
The attack vector begins by hosting a custom WSDL document on a public server. This document contains a transitive schema import directing the server to retrieve an internal host resource. The target URL is typically directed toward local loopback addresses, RFC 1918 private subnets, or cloud-specific instance metadata links:
<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://example.com/">
<wsdl:types>
<xsd:schema targetNamespace="http://example.com/">
<xsd:import namespace="http://internal.service/"
schemaLocation="http://169.254.169.254/latest/meta-data/iam/security-credentials/"/>
</xsd:schema>
</wsdl:types>
</wsdl:definitions>When the vulnerable application processes this file, the custom ImportResolver reads the schemaLocation parameter. It triggers an HTTP GET request to the local AWS Instance Metadata Service (IMDSv1). If successful, the fetched administrative credentials are included in the compilation cycle or leaked through parsing error messages returned in the HTTP response.
Impact & Security Assessment
The impact of this vulnerability is significant for systems deployed in cloud-native environments or connected to restricted intranet services. Through SSRF, unauthenticated remote attackers can query non-routable internal networks that are shielded from the public internet. This allows port scanning, identification of local network topology, and interaction with unauthenticated management interfaces.
In environments utilizing cloud infrastructure (such as AWS, Google Cloud, or Microsoft Azure), the vulnerability allows retrieval of instance metadata. For example, queries targeting http://169.254.169.254/ can leak short-term IAM credentials, instance configuration data, and network bootstrap tokens.
This vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium). The scoring reflects a high confidentiality impact (C:H) due to potential credential exposure, combined with a high attack complexity (AC:H) because exploitation depends on application endpoints accepting dynamic schema paths and processing them under a vulnerable client configuration.
Remediation & Defense-in-Depth
To completely resolve this vulnerability, update python-zeep to version 4.3.3 or later. It is critical to recognize that upgrading the library alone is insufficient to secure the application. To maintain backwards compatibility with existing implementations, the patch updated the default value of the forbid_external parameter from True to False.
Developers must explicitly enable this parameter during client initialization. To secure your implementation, modify the client configuration as shown below:
from zeep import Client, Settings
# Configure settings to explicitly block transitive external schemas
settings = Settings(forbid_external=True)
# Instantiate client with secure settings
client = Client("https://example.com/api?wsdl", settings=settings)If upgrading immediately is not possible, implement firewall rules to restrict egress traffic. Restrict application containers from making outbound network connections to local resources and the link-local metadata range (169.254.169.254). If possible, transition AWS environments to IMDSv2 and enforce a session token hop limit of 1 to mitigate metadata extraction.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NAffected Systems
Applications implementing python-zeep (zeep) version 4.0.0 through 4.3.2
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
zeep mvantellingen | >= 4.0.0, <= 4.3.2 | 4.3.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-918 |
| Attack Vector | Network |
| CVSS v3.1 | 5.9 (Medium) |
| Impact | Confidentiality High |
| Exploit Status | Proof of Concept available |
| KEV Status | Not listed |
MITRE ATT&CK Mapping
CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL from an upstream client and retrieves the resource without validating the destination.
Known Exploits & Detection
Vulnerability Timeline
Version 4.0.0 released with regression (migration from defusedxml to lxml)
2020-09-01
Vulnerability identified and code patch committed
2026-06-18
GHSA-4cc2-g9w2-fhf6 Advisory published and version 4.3.3 released
2026-06-19
