GHSA-373w-rj84-pv6x: 
Python vulnerability analysis and mitigation

SafeURL-Python, a library designed to protect against Server Side Request Forgery (SSRF) vulnerabilities, was found to have a security flaw tracked as GHSA-373w-rj84-pv6x. The vulnerability, discovered and disclosed on June 23, 2023, affects versions prior to 1.3 of the SafeURL-Python package. The issue allows attackers to bypass hostname blocklists by using Fully Qualified Domain Names (FQDNs) (GitHub Advisory).

The vulnerability stems from an implementation flaw in the hostname validation mechanism. When a hostname was blacklisted, attackers could bypass the restriction by simply appending a dot (.) to the end of the hostname, effectively converting it to an FQDN. This bypass worked because the library's domain comparison logic didn't properly handle FQDN formats (GitHub PR). The vulnerability is rated as Low severity, indicating limited potential impact.

While the core functionality of blocking requests to internal/private IPs remained unaffected, the vulnerability could allow attackers to bypass specific hostname blocks set by library users. This could potentially enable SSRF attacks against explicitly blocked hostnames that were intended to be restricted (GitHub Advisory).

The vulnerability was patched in version 1.3 of SafeURL-Python. The fix involves properly handling FQDN formats during domain comparison. Additionally, the project maintainers recommend routing outbound requests through a proxy like Smokescreen or implementing proper network-level firewalling as primary SSRF mitigation strategies, using application-layer defenses like SafeURL only when these options are not practical (GitHub PR).