GHSA-63cx-g855-hvv4 – mitmproxy

Package

Manager: pip
Name: mitmproxy
Vulnerable Version: >=0 <12.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

EPSS: N/A pctlN/A

Details

mitmproxy binaries embed a vulnerable python-hyper/h2 dependency mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to `http://` backends. It does not affect mitmproxy's regular mode. All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2. More details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.

Metadata

Created: 2025-08-25T21:01:00Z
Modified: 2025-08-25T21:01:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-63cx-g855-hvv4/GHSA-63cx-g855-hvv4.json
CWE IDs: ["CWE-1395", "CWE-444"]
Alternative ID: N/A
Finding: F110
Auto approve: 1