Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-63cx-g855-hvv4: mitmproxy binaries embed a vulnerable python-hyper/h2 dependency

mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not affect mitmproxy’s regular mode.

All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.

More details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.

ghsa
Open in Source
#vulnerability#git

mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not affect mitmproxy’s regular mode.

All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.

More details about the vulnerability itself can be found at GHSA-847f-9342-265h.

References

  • GHSA-63cx-g855-hvv4
  • GHSA-847f-9342-265h

ghsa: Latest News

GHSA-63cx-g855-hvv4: mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
ghsa