A major security vulnerability appeared in the mitmproxy service that allowed an adversary to conduct HTTP request smuggling attacks. Thankfully, the vulnerability received a fix before facing exploit in the wild.
mitmproxy HTTP Request Smuggling Bug
According to a recent advisory from mitmproxy, the developers have released mitmproxy 8 with numerous bug fixes. These include a significant security fix, addressing a HTTP request smuggling vulnerability.
Specifically, mitmproxy is an open-source HTTPS proxy, useful for penetration testing, debugging, and other related activities. It can help “intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.”
As elaborated, the bug caught the attention of the researcher Zhang Zeyu, who then reported it to mitmproxy maintainers.
According to the details shared in a separate GitHub advisory, an HTTP request smuggling attack threatened the mitmproxy 7.0.4 and earlier versions. Describing the vulnerability, the advisory states,
This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response’s HTTP message body. While mitmproxy would only see one request, the target server would see multiple requests. A smuggled request is still captured as part of another request’s body, but it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization.
The flaw typically affected mitmproxy users using this service to protect HTTP/1 service; HTTP/2 remains unaffected.
This bug has received the ID number CVE-2022-24766 with a critical severity rating and a base score of 9.8. Nonetheless, according to the statement of Maximilian Hils, mitmproxy maintainer, to the DailySwig, exploiting this vulnerability isn’t easy.
From a practical point of view, I’d argue that the impact is non-existent for the vast majority of users… There are a lot of not-so-common preconditions that need to be met.
Since the patched version is publicly available, users should ensure updating asap to get the fix.