Homepage

Unintended Proxy or Intermediary ('Confused Deputy') Affecting mitmproxy package, versions [,11.1.2)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-MITMPROXY-8689799
  • published7 Feb 2025
  • disclosed6 Feb 2025
  • creditStefan Grönke
Report a new vulnerability Found a mistake?

Introduced: 6 Feb 2025

NewCVE-2025-23217  (opens in a new tab)
CWE-441  (opens in a new tab)

How to fix?

Upgrade mitmproxy to version 11.1.2 or higher.

Overview

mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets.

Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') through the proxy server configuration. An attacker can escalate unauthorized access and potentially execute arbitrary code by exploiting the proxy to route requests to the internal API.

Notes:

  1. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected;

  2. This is only exploitable if the attacker is in the same local network.

CVSS Scores

version 4.0
version 3.1