## Critical Web3.py Vulnerability: Smart Contracts Can Force HTTP Requests to Arbitrary, Unsafe URLs
A critical security flaw in the widely used Ethereum library web3.py allows smart contracts to force client applications to make HTTP requests to arbitrary, potentially malicious URLs without any validation. The vulnerability, tracked as GHSA-5hr4-253g-cpx2, resides in the library's implementation of the CCIP Read / OffchainLookup (EIP-3668) standard, which is designed to fetch data from off-chain sources.

The core of the issue is that web3.py's `OffchainLookup` handler uses URLs supplied directly by a smart contract's `offchain_lookup_payload["urls"]` field. After performing simple `{sender}` and `{data}` template substitutions, it sends HTTP requests to these URLs. Crucially, the implementation performs zero destination validation. It does not restrict requests to secure `https://` protocols, lacks any hostname or IP allowlist, and fails to block requests to private or reserved IP ranges, including loopback and link-local addresses. This creates a direct vector for server-side request forgery (SSRF) and data exfiltration attacks.

This vulnerability poses a severe risk to any application or service that interacts with untrusted smart contracts using a vulnerable version of web3.py. An attacker could deploy a malicious contract that forces a victim's node or application to make requests to internal network services, cloud metadata endpoints, or other sensitive internal systems, potentially leading to credential theft, data leakage, or further network compromise. The advisory strongly urges all projects to immediately update their dependency to web3.py version 7.15.0 or later, which contains the necessary fixes.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, ethereum, python, smart-contracts
- **Credibility**: unverified
- **Published**: 2026-04-04 07:26:52
- **ID**: 49809
- **URL**: https://whisperx.ai/en/intel/49809