All outbound HTTP requests now block 3xx redirects by default via a new environment variable, preventing attackers from using public URLs to silently redirect to internal addresses.
Added default blocking of 3xx redirects for outbound HTTP requests via `AIOHTTP_CLIENT_ALLOW_REDIRECTS` environment variable
Users and operators can now prevent malicious actors from exploiting public-facing endpoints to access internal networks (RFC 1918, loopback, cloud metadata) via redirected HTTP calls — reducing exposure to lateral movement attacks. This change should be monitored for false positives in legitimate proxy workflows that rely on controlled redirects, especially in enterprise deployments with complex network segmentation.
{
"event_id": "event_7e5ef92d58406a76",
"topic_id": "consumer_ai_applications",
"event_type": "Release",
"event_time": "2026-05-10T18:14:07Z",
"title": "Redirect-based SSRF protection for outbound HTTP requests",
"summary": "All outbound HTTP requests now block 3xx redirects by default via a new environment variable, preventing attackers from using public URLs to silently redirect to internal addresses.",
"contribution": "Added default blocking of 3xx redirects for outbound HTTP requests via `AIOHTTP_CLIENT_ALLOW_REDIRECTS` environment variable",
"impact": "Users and operators can now prevent malicious actors from exploiting public-facing endpoints to access internal networks (RFC 1918, loopback, cloud metadata) via redirected HTTP calls — reducing exposure to lateral movement attacks. This change should be monitored for false positives in legitimate proxy workflows that rely on controlled redirects, especially in enterprise deployments with complex network segmentation.",
"maturity": "Production",
"confidence": 0,
"importance_score": 0.9,
"risk_flags": [
"Redirect Bypass Potential",
"Proxy Workflow Disruption"
],
"evidence_count": 1
}Sign in to submit review notes for this event judgment and its evidence trail.