logo

Database

Improper authorization control for web services In fastapi-proxy-lib

Description

Cookie leakage between different users in fastapi-proxy-lib

Impact

In the implementation of version 0.0.1, requests from different user clients are processed using a shared httpx.AsyncClient.

However, one oversight is that the httpx.AsyncClient will persistently store cookies based on the set-cookie response header sent by the target server and share these cookies across different user requests.

This results in a cookie leakage issue among all user clients sharing the same httpx.AsyncClient.

Patches

It's fixed in 0.1.0

Workarounds

If you insist 0.0.1:

    Do not use ForwardHttpProxy at all.

    Do not use ReverseHttpProxy or ReverseWebSocketProxy for any servers that may potentially send a set-cookie response.

However, it's best to upgrade to the latest version.

References

fixed in #10

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-7vwr-g6pm-9hc82. GCVE-GHSA-7vwr-g6pm-9hc8

References

1. https://github.com/WSH032/fastapi-proxy-lib/security/advisories/GHSA-7vwr-g6pm-9hc82. https://github.com/WSH032/fastapi-proxy-lib/pull/10

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.