Authentication Bypass Affecting mitmproxy package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIANUNSTABLE-MITMPROXY-8689989
- published8 Feb 2025
- disclosed6 Feb 2025
Introduced: 6 Feb 2025
NewCVE-2025-23217 (opens in a new tab)How to fix?
There is no fixed version for Debian:unstable mitmproxy.
NVD Description
Note: Versions mentioned in the description apply only to the upstream mitmproxy package and not the mitmproxy package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the cannot access the API directly, they can access the API through the proxy. An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. This vulnerability has been fixed in mitmproxy 11.1.2 and above. Users are advised to upgrade. There are no known workarounds for this vulnerability.