Critical Web3.py Vulnerability: Smart Contracts Can Force HTTP Requests to Arbitrary URLs

A critical security vulnerability in the widely used Ethereum Python library web3.py allows smart contracts to force client applications to make HTTP requests to arbitrary, potentially malicious URLs. The flaw, tracked as GHSA-5hr4-253g-cpx2, resides in the library's implementation of the CCIP Read / OffchainLookup (EIP-3668) standard, a mechanism designed to fetch data from off-chain sources.

The vulnerability stems from a lack of validation for URLs supplied by smart contracts. When a contract triggers an offchain lookup, it provides a list of URLs in the `offchain_lookup_payload["urls"]` field. The web3.py library directly uses these contract-supplied URLs—after performing basic template substitution—without any security checks. Crucially, there is no restriction enforcing the use of `https://`, nor is there an opt-in mechanism for allowing `http://` connections. This means a malicious or compromised contract can specify any URL, including those on unsecured HTTP or controlled by an attacker.

This flaw exposes any application or service using the vulnerable versions of web3.py (prior to v7.15.0) to significant risk. Attackers could exploit this to perform server-side request forgery (SSRF) attacks, potentially probing internal networks, exfiltrating data from metadata services, or interacting with internal APIs. The update to web3.py v7.15.0 patches this vulnerability, making it a mandatory security upgrade for all dependent projects in the Ethereum and broader Web3 ecosystem to prevent potential data breaches and network intrusions.