PYSEC-2026-577
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
Details
## Summary
Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob.
## Details The Python SDK proxy route accepts every path under the share:
```python @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) def proxy(path): ```
It constructs the outbound URL with `urljoin` and then sends the request:
```python url = urllib.parse.urljoin(self.target, path) resp = requests.request( method=request.method, url=url, headers={key: value for (key, value) in request.headers if key.lower() not in HOP_BY_HOP_HEADERS}, data=request.get_data(), cookies=request.cookies, allow_redirects=False, stream=True, verify=self.verify_ssl ) ```
When `path` is `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60), `urljoin(self.target, path)` returns `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob's chosen URL rather than Alice's target.
Are you affected?
Enter the version of the package you're using.
Affected packages
0.4.47 No fixed version published yet for zrok (pip). Pin to a known-safe version or switch to an alternative.