Skip to content

security: fix SSRF in load_image and load_video URL fetching#13761

Open
hoangperry wants to merge 1 commit into
huggingface:mainfrom
hoangperry:fix/ssrf-load-image-video-url
Open

security: fix SSRF in load_image and load_video URL fetching#13761
hoangperry wants to merge 1 commit into
huggingface:mainfrom
hoangperry:fix/ssrf-load-image-video-url

Conversation

@hoangperry
Copy link
Copy Markdown

@hoangperry hoangperry commented May 17, 2026

Summary

load_image() and load_video() call requests.get(url) with no URL validation. When diffusers is deployed as a server-side inference API, any user who supplies image/video URLs can cause the server to make HTTP requests to internal network addresses including cloud metadata endpoints.

Vulnerable code (before)

# load_image
image = PIL.Image.open(requests.get(image, stream=True, timeout=DIFFUSERS_REQUEST_TIMEOUT).raw)

# load_video
response = requests.get(video, stream=True)

requests.get follows HTTP redirects by default, so an attacker-controlled server returning a 302 to an internal address bypasses any future URL-based filtering.

Fix

Add _validate_url() that resolves the hostname to IP and blocks RFC 1918 (10.x, 172.16.x, 192.168.x), loopback (127.x), and link-local (169.254.x) ranges before any HTTP request is made.

Test plan

  • http://127.0.0.1/image.jpg → ValueError (loopback)
  • http://169.254.169.254/image.jpg → ValueError (cloud metadata)
  • http://10.0.0.1/image.jpg → ValueError (RFC 1918)
  • https://upload.wikimedia.org/image.jpg → works normally

@github-actions github-actions Bot added utils size/S PR with diff < 50 LOC labels May 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/S PR with diff < 50 LOC utils

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hoangperry